Q: I’m confused—if I’m creating servlets, shouldn’t I be thinking about security considerations?
A: Yes, you should; Kim the servlet provider was being a little sarcastic. A key point when designing servlets is their modularity. For instance, it makes sense to separate browsing capabilities from updating capabilities. If these two use cases are implemented in separate servlets then it will be easy for the deployer to assign different security constraints to them.
Q: I don’t know where YOU work, but in my situation I have to wear all three hats: developer, admin, and deployer.
A: That’s actually a very common situation. We still recommend that when you’re implementing security you do it in stages and “imagine” that you’re wearing one hat at a time.
Q: How does programmatic security fit into the picture?
A: We’ll get to programmatic security later in the chapter. For now, what’s important to know is that you’ll probably find that 95% of the security work you’ll do in servlets will be declarative. Programmatic security just isn’t used very much. (See “Top Ten Reasons...”)
Q: So far everything you’ve talked about is ...
Get Head First Servlets and JSP, 2nd Edition now with O’Reilly online learning.
O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.