A Look at Java and J2EE Security Standards
J2EE security builds on the foundation of the Java security APIs. These APIs include application-level interfaces such as the Java Authentication and Authorization Service (JAAS) and the Java Authorization Contract for Containers (JACC ) as well as lower-level APIs such as the Java Cryptography Extension (JCE ), the Java Secure Socket Extension (JSSE), and the Java Generic Security Services (GSS) API. While the nuts and bolts of these standards are often hidden from the developer, it helps to understand what security pieces the standards provide, especially as you evaluate application servers or security providers, for example.
Authentication and Authorization in Java Security
The core Java security model is based on .policy files that govern the allowed operations for specific pieces of code. These pieces of code are defined based on their packages and classes, where the code originated, and who (if anyone) signed the code. This level of security is often called code-level security, since you are authorizing chunks of code to do specific things rather than the users who are interacting with the code.
JAAS enhances the Java security model by providing user-level security. JAAS deals with authenticating users (referred to in JAAS as subjects) and authorizing them to run certain programs, applets, or jars based on a variety of criteria, all specified in the same .policy file used for code-level security. JAAS is a required element in both ...
Get Java Enterprise in a Nutshell, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.