Java 2EE and XML Development

Скачать в pdf «Java 2EE and XML Development»

DEFINITION Authentication is the process of verifying that someone is who he or she purports to be.

J2EE addresses authentication and authorization via the Java Authentication and Authorization Service (JAAS). This is an implementation of the Pluggable Authentication Module (PAM) security architecture, in which various security provider implementations can be plugged in to your J2EE environment. Each of these providers might implement authentication and authorization in different ways, but your components are shielded from the details and always access security information through a standard interface.

DEFINITION Authorization is the process of ensuring that each authenticated user can only access the resources that he or she has the right to access.

JAAS is soon to become a part of the base Java platform, in version 1.4. Using JAAS may seem like an obvious way to go with J2EE security requirements. The devil can be found in the details, as usual. There are currently two major drawbacks to using JAAS. The first is that you must declare your application security policy in deployment descriptors and configuration files rather than within the application itself. This can be error-prone and inconvenient, especially in the case of web applications. It is often impractical to rely on your J2EE container to authenticate and authorize users, especially when they register and self-administer their accounts via the Web. If your security policy must be updated dynamically at runtime, using JAAS can be impractical. Your application security model must also fit well with such JAAS concepts as authorization realms and principals.

The second drawback is the naive simplicity of many JAAS provider implementations. The out-of-the-box JAAS provider usually consists of authorization realm and credential information being stored in a plain text file or unencrypted database fields. This means that, even if you find a way to delegate your application security to the container, the manner in which your application is secured is very suspect.

Скачать в pdf «Java 2EE and XML Development»