Enterprise Javaв„ў Security: Building Secure J2EEв„ў Applications

Any sound specification should be backed by a solid implementation that adheres to the specification; is secure, reliable, and administrable; and performs well. A J2EE container implementation should provide these qualities while adhering to the J2EE specification. This chapter discusses security considerations that a container provider should take into account while designing and implementing a J2EE container. This chapter also provides an approach to implementing a container runtime by making use of available technologies, including Java security technologies. For example, authentication, authorization, and delegation facilities within a J2EE container can be implemented based on existing Java security technologies.

This chapter starts by discussing the environment in which J2EE containers are deployed and then discusses how JAAS LoginModule s can provide a modular and pluggable mechanism to achieve authentication. Authorization implementation comprises administration facilities and a runtime implementation. This chapter discusses an interpretation of security roles as a set of permissions and explains how to achieve better administration, as well as the abstraction of various organizational roles that are involved in application development, deployment, and administration.