Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

All J2EE components, regardless of whether they are Web (presentation components) or EJB (business components), must be assembled and deployed in the appropriate container of the J2EE server infrastructure. The J2EE platform vendors implement the J2EE component container and services that act as the server infrastructure for executing these components. In addition to providing an execution environment, the J2EE server also provides managed services such as security, transactions, persistence, connection, resource pooling, and so forth.

In a J2EE server infrastructure, the J2EE security services ensure that the security of the application data accessed is protected over the different logical tiers, between the requests and responses, and across the components and resources. The J2EE server-facilitated security infrastructure takes much of the burden of securing the application from the application developers, allowing them to concentrate on implementing the business logic of the application.

In general, most J2EE application servers provide the following security services:

• Security realms to protect server resources representing a logical group of users, groups, and access control lists (ACLs).

• Authentication mechanisms to identify the user requesting access to J2EE server-managed resources. Authentication can be accomplished using a username/password combination or digital certificates, with which a client is authenticated using the identity of the X.509 certificate provided to the server as part of an SSL authentication.

• Authorization of users and groups through ACLs, which allows policy enforcement and access restriction to specific users and resources.

• Data integrity and confidentiality by securing communication using SSL/TLS protocols. Clients can establish secure communication with the server via SSL sessions using HTTP or RMI/IIOP over SSL.

• Auditing and logging of events for identification of failed login attempts, authentication requests, rejected digital certificates, and invalid ACLs.

• Client connection filtering for the purpose of accepting or rejecting client requests based on the origin (Host name or network address verification) or protocol of the client.

• Support for pluggable JAAS-based authentication and authorization services.

• Support for pluggable authorization using Java Authorization Contract for Containers (JACC).

• Support for third-party security services via pluggable security provider agents to provide support for Web servers, portals, and other business applications.

• Implementation of Java-extensible security architecture and APIs such as JSSE, JCE, and so forth.

• Realm and User Directory Support using File, LDAP, and Relational databases.

• Support for single sign-on across all J2EE applications within a single security domain.

Some of these security infrastructure services are mandated by the J2EE specification, and it is the application server vendor's responsibility to ensure that these technologies are integrated into the J2EE server environment.

In addition to the J2EE security infrastructure provided by the server vendors, the J2EE specification dictates that a standardized security model be applied to the J2EE components within the logical tiers using the J2EE container-based security mechanisms.