Home arrow Java arrow JAAS, Securing J2EE Applications: Securing Web Components
JAVA

JAAS, Securing J2EE Applications: Securing Web Components


Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
TABLE OF CONTENTS:
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article
SEARCH DEVARTICLES

JAAS, Securing J2EE Applications: Securing Web Components
(Page 1 of 7 )

“Prevention is better than cure”

This age old adage holds true even today, especially in the case of web applications. Site defacement is only one aspect of website attacks. It does not augur well if the security of an application is first considered after an attack. Applications must be developed with their security aspects well defined in advance.

Until a few years ago, security meant securing the web server. But with the advent of server-side programming, security cannot be limited to the resources within the web server, as most of the processing and servicing of the request is done by code executing within the application server. In the case of J2EE, securing a web application can be perplexing; a J2EE application can consist of one or more different components, each providing service to a different layer. So what is the solution? The solution comes in two different packages:

  • Declarative Security: If one is adopting this approach, then all the security constraints are specified within the web.xml file of the application. The container reads these constraints and performs the access control for that particular application.

  • Programmatic Security: Under this model, the responsibility for securing the web application belongs solely to the programmer. The logic for authenticatomg and authorizing the user is embedded within the application. It can exist as a service at the boundary of the application or within each module.

Realms based security comes under the former, while Java Authentication and Authorization Services (JAAS) based security comes under the latter. The next obvious question that arises is, which is superior? The answer, often repeated, is that the context determines usage. If codeless security is the context, then declarative security is better. If fine-grained control is the requirement, then programmatic security is the best choice. 

Resuming the context of J2EE components, they are divided into Web Components and Business Components. Servlets and JSPs are Web Components whereas Enterprise Java Beans (EJBs) are Business Components. The method for securing Web Components is different from that for securing Business Components. In this tutorial, I will be discussing how to securing Web Components using JAAS. Before implementation is discussed, it is better to get acquainted with the JAAS, its overview and its vocabulary.


blog comments powered by Disqus
JAVA ARTICLES

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials