Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

Topics in This Chapter

  • J2EE Architecture and Its Logical Tiers

  • J2EE Security Definitions

  • J2EE Security Infrastructure

  • J2EE Container-Based Security

  • J2EE Component/Tier-Level Security

  • J2EE Client Security

  • EJB Tier or Business Component Security

  • EIS Integration TierOverview

  • J2EE ArchitectureNetwork Topology

  • J2EE Web Services SecurityOverview

The J2EE platform provides a multi-tier application infrastructure solution for developing and deploying portable and scalable distributed computing applications. It is essentially a set of Java technologies that can span from the client tier to the presentation tier to the business logic and finally to back-end resources. The J2EE platform is also designed to provide a full-fledged security architectural model that addresses the core security requirements of a multi-tier application infrastructure.

The key challenges of implementing end-to-end security across multiple tiers of J2EE application architecture involve ensuring security of every component that contributes to the infrastructurefrom its network services to the ultimate client of the target resource. Accordingly, the security of the infrastructure must meet the critical security requirements of maintaining the integrity and the confidentiality of data and transport; preventing unauthorized use or damage caused by any unprivileged user(s); and avoiding the associated potential risks.

To achieve end-to-end security of the J2EE infrastructure, security is addressed in all deployed components and associated container services, allowing propagation of security in all logical tiers of the application and its exposed Web services. J2EE leverages on the underlying Java platform security and its extensible security architecture APIs with additional features provided by the J2EE container services and components.

Over the course of this chapter, we will study J2EE security architecture and mechanisms provided by the J2EE server container and components. In particular, we will take a closer look at the J2EE security mechanisms available to the logical tiers and components that contribute to building end-to-end security for J2EE-based applications and Web services. At the time of writing this book, the J2EE 1.4 specification has been released as a public specification, and this chapter addresses that version of J2EE.

This chapter assumes that you have worked with J2EE components such as JSPs, Servlets, and EJBs for J2EE application servers.

Категории