The J2EE Security Model - JSP

To implement authentication, access control, data integrity, and confidentiality from a J2EE platform you need to understand a number of important concepts discussed in the following sections.

Roles and Principals

Within anyWeb application, there can be different types of users: some might be registered users, some are premium users, and some are entry-level users.These different types of users will have different access levels within a Web application, and these different types of users can be referred to as roles.

Individual users can then be assigned to these different roles; the principal is the actual user. So a principal could be in one or more roles. To put it in concrete terms, I am a registered user of a Web site, my username is johndoe, and I am a premium user. My principal is johndoe, and the role could be Premium User. The principal and role information can be stored in a variety of ways.They could bein an LDAP directory, an NT domain, or in a database, and a server can be configured to interact with them.WebLogic, for example, has out-of-the-box support for all these.

Declarative and Programmatic Security

Within the J2EE standard, you can implement security in two ways:

• Declarative security—security information is defined within the various deployment descriptors, whether they be EJBs,Web folders, or other resources.This is handled by the deployer of the application as opposed to the developer of the application.
• Programmatic security—security information is hard-coded into the application using the security APIs.This is handled by the developer of the application as opposed to the deployer of the application.

As we explore how security is actually implemented in Web applications, you’ll see examples of roles and principals, and also examples of declarative and programmatic security.We’ll start with declarative security via authentication.