Introduction to Java EE Web Application Security from a Developer perspective

Submitted by heartin on Fri, 04/17/2015 - 23:47

Security is one of the most important aspects of almost all web applications.  There are many areas of concern like client and server machine security, transmission channel security, database security etc.

While most security concerns are the responsibility of server or network administrators, application developers should also be concerned about some of the aspects of security such as authentication, authorization, data integrity and confidentiality.

  1. Authentication

    • is the process of verifying if the user, usually with a username and password.

    • Once authenticated, we may call a user as an authenticated user or a logged in user.

  2. Authorization

    • is the process of checking if a user is allowed to access a particular resource on the server.

  3. Data integrity

    • is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender.

  4. Confidentiality

    • is the process of maintaining data privacy wherein we secure the communications channel, to make sure the data is not accessed in its original form by a third party by eavesdropping.

 

Authentication in Java EE Applications

Java EE provides four different ways to authenticate a user:

  1. Basic Authentication

  2. Digest Authentication

  3. Form Authentication

  4. SSL Certificates

Data used to authenticate a user are called credentials; while the first three rely on username and password provided by user, the fourth one relies on encryption techniques and certificates.

 

Authorization in Java EE Applications

Authorization may be done in different ways, including:

  1. Programmatically controlling access to resources based on individual user’s credentials.

  2. Assigning users into different groups called roles and assigning permissions based on the roles

 

Steps for role based authorization can be summarized as:

  1. Define roles, users and create mapping between them

  2. Define resource collections to which security should be applied

  3. Map roles with security constraints

 

Data integrity and Confidentiality in Java EE web applications

Confidentiality and data integrity are related to securing the communications channel.

We can declaratively specify what level of channel security you need: NONE, INTEGRAL or CONFIDENTIAL (implies INTEGRAL).

 

Specifying security requirements in Java EE applications

Java EE allows us to define these security requirements, mainly in three ways:

  1. We can declaratively declare security requirements for an individual or set of resources through the deployment descriptor (web.xml)

  2. We can declare security requirements for individual components through the use of annotations.

  3. We can program security requirements using Java code rather than relying on containers declarative security model.

 

We will see all these in detail in further notes in this notebook.

Tags: 
security

Quick Notes Finder Tags

Activities (1) advanced java (1) agile (3) App Servers (6) archived notes (2) Arrays (1) Best Practices (12) Best Practices (Design) (3) Best Practices (Java) (7) Best Practices (Java EE) (1) BigData (3) Chars & Encodings (6) coding problems (2) Collections (15) contests (3) Core Java (All) (55) course plan (2) Database (12) Design patterns (8) dev tools (3) downloads (2) eclipse (9) Essentials (1) examples (14) Exception (1) Exceptions (4) Exercise (1) exercises (6) Getting Started (18) Groovy (2) hadoop (4) hibernate (77) hibernate interview questions (6) History (1) Hot book (5) http monitoring (2) Inheritance (4) intellij (1) java 8 notes (4) Java 9 (1) Java Concepts (7) Java Core (9) java ee exercises (1) java ee interview questions (2) Java Elements (16) Java Environment (1) Java Features (4) java interview points (4) java interview questions (4) javajee initiatives (1) javajee thoughts (3) Java Performance (6) Java Programmer 1 (11) Java Programmer 2 (7) Javascript Frameworks (1) Java SE Professional (1) JPA 1 - Module (6) JPA 1 - Modules (1) JSP (1) Legacy Java (1) linked list (3) maven (1) Multithreading (16) NFR (1) No SQL (1) Object Oriented (9) OCPJP (4) OCPWCD (1) OOAD (3) Operators (4) Overloading (2) Overriding (2) Overviews (1) policies (1) programming (1) Quartz Scheduler (1) Quizzes (17) RabbitMQ (1) references (2) restful web service (3) Searching (1) security (10) Servlets (8) Servlets and JSP (31) Site Usage Guidelines (1) Sorting (1) source code management (1) spring (4) spring boot (3) Spring Examples (1) Spring Features (1) spring jpa (1) Stack (1) Streams & IO (3) Strings (11) SW Developer Tools (2) testing (1) troubleshooting (1) user interface (1) vxml (8) web services (1) Web Technologies (1) Web Technology Books (1) youtube (1)