Security is paramount in any application, especially in large-scale, distributed J2EE applications. Although J2EE security is critical, it is only one piece of a much larger picture. Security requires an enterprise strategy that addresses physical security, application security, and network security. J2EE security is but one link in that larger chain.

When developing J2EE applications, security is a critical concern. You want to make sure that only authorized users access the application and that hackers can’t steal sensitive data. This chapter describes how you can secure your J2EE application.

The chapter begins by providing an overview of transport and application security as well as defining the important concepts of authentication and authorization. It then explains security in the web and application tiers. The chapter explains the concepts of programmatic security as well as declarative security and then goes on to address various specific enterprise security concerns. Finally, we conclude this chapter by highlighting some of the limitations of the current J2EE security model.

Before we get started, here’s a caveat. In order to cover J2EE security in some detail in this chapter, we assume that you are familiar with numerous security concepts and techniques, including authentication, authorization, encryption, message digests, and digital signatures, to name a few. Depending on your background, you may want to do some further reading in this area as ...