Summary

Today, you have looked at several aspects of J2EE security. You've studied basic security terminology, including the difference between authentication and authorization.

You have seen how the J2EE specification doesn't specify the authentication schemes that must be used but relies on a server to provide some form of authentication. The authenticated username is known as a J2EE principal.

J2EE authorization is based on roles defined for each EJB JAR or Web JAR in the application. Each authenticated principal can be mapped onto one or more roles.

J2EE uses declarative constraints to define authorization based on the roles defined in the application. Each method in an EJB can be authorized for all principals or a specific list of roles. Similarly, individual Web pages can be authorized for specific roles. This declarative programming de-couples the development of the EJB and Web code from the runtime authentication scheme. Declarative security constraints facilitate the separation of the developer role from the assembler and deployer roles.

Programmatic security is used when simple declarative security cannot express the application's authorization requirements. An EJB or Web page becomes security aware by using methods in the J2EE API to obtain the client's principal name or role. This information can be used to change the behavior of an EJB or Web page based on the client's security credentials.

Adding security to a J2EE application is a simple process. Careful design of the functionality in each EJB or Web page enables an assembler to apply consistent security constraints to several J2EE components comprising a complete application.