Day 15. Security

So far, you have developed your J2EE application without considering security. Now you will look at how to add security constraints to your system to prevent loss of privacy or to keep unauthorized clients from accessing data and causing accidental or malicious damage.

In today's lesson, you will look at

• How the J2EE specification supports the common requirements for a secure system

• The common terminology used when discussing system security

• Symmetric and asymmetric encryption

• Securing a J2EE application using principals and roles

• Using declarative security for EJBs and Web pages

• Using programmatic security in EJBs and Web pages

• Supplying security credentials to an LDAP naming service provider for JNDI

Security is an essential aspect of most, if not all, enterprise applications. However, defining an application as secure is not as easy as it sounds, because the definition of secure can be interpreted in different ways.

To some users, a Web site is secure if they have to provide a username and password to obtain access to the Web pages. As you will see, just because a site requires a user to log in does not make it secure.

Understanding and applying security requires knowledge of the security terminology and technologies in common use. Before studying J2EE security, the next sections describe basic aspects of IT security. If you are comfortable with basic security principles feel free to skip forward to the “Security in J2EE” section.