In a Sun Developer Network technical article, Srividhya (Vidhya) Narayanan, Chris Webster and Marina Sum explain the security aspects of JavaTM Platform, Enterprise Edition (JavaTM EE) and demonstrate how to protect resources in a sample web application and a web service with the new early access release of the Sun JavaTM Studio Enterprise 8 and the Sun JavaTM System Application Server 8.1, which is packaged with Java Studio Enterprise.

Two types of security are available with Java EE - declarative security and programmatic security. The writers define declarative security as external to the application code and can be viewed as a way to specify use of the security resources in the underlying application server. Programmatic security is included in the business logic and is often used for customization.

"With declarative security, you can override entries in the DD (deployment descriptor) at application assembly time without affecting the underlying archive's alternate mechanism for DDs. That way, you can use a DD other than the one packaged in the archive. This alternate DD can override configuration information, such as the names of security roles," they explain. "Thus, if you opt for programmatic security, be sure to declare security-role references in either the servlet or EJB (Enterprise JavaBeans)* DDs. Those declarations specify the string referenced in the application code and a link to the role defined in the application, hence affording a level of indirection and enabling the role name to be modified during assembly without recompilation of the code."

The article then proceeds by walking readers through securing a web application with two JavaServer PagesTM (JSPTM)+, specifically , index.jsp and gold.jsp. This demonstration offers advice on creating the servlet, roles, dd elements and HTML pages and configuring the Java System Application Server 8.1.

In their discussion of web services, Narayanan, Webster and Sum introduce various specifications and standards. The authors also address some of the additional security challenges that accompany securing web services. They write, "Apart from securing the web application itself, you can further protect the data that are transferred by turning on the Transaction Layer Security (TLS) or Secure Sockets Layer (SSL) protocol at the container level. Doing so encrypts the data that flow in and out of the application and is the most common and easiest way for securing exchanged data today. The main benefit of this method is that SSL is a well-known and mostly automated technology that's easy to set up. However, exposure to intermediaries - systems that serve as value-added proxies for the ultimate service - is a drawback, especially in web services-based applications."

Message-level security (MLS) is offered as a solution to encrypt and enable protection at the message-level. Later in the article, a figure follows with further details on enabling MLS and configuring the Java System Application Server 8.1 for it.

Readers are invited to work through three Java Studio Enterprise project directories: ClientPingHello, PingHelloService and HelloEndService, from a ZIP file that is available for download. Each one of the project directories is detailed with code snippets as a reference.

* Note: EJB is a Sun trademark, and not just an abbreviation for Enterprise JavaBeans. + Note: JSP is a Sun trademark, and not just an abbreviation for JavaServer Pages. [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter