Java Reference
In-Depth Information
CHAPTER 6
Exploring Crosscutting
Design Patterns
M
ost enterprise applications should be secured to prevent malicious access. They also
require transaction support to maintain data consistency. The Java EE platform contain-
ers provide support for both security and transaction. However, these services can be
applied in any of the application tiers. Security, for example, can be applied in the pres-
entation tier to prevent unauthorized access of web resources such as Java Server Pages.
The EJB business tier components also require protection because they can be accessed
by different remote clients. The web services in the integration tier also need secured
access. Similarly, transactional services may be used by the business tier or integration
tier data access logic depending on application need.
Unfortunately, Sun's Java BluePrints and the topic
Core J2EE Design Patterns
by
Deepak Alur, Dan Malks, and John Crupi (Prentice Hall, 2003) do not document any
design strategy for transaction and security, which are of critical importance to an enter-
prise application. Therefore, developers and designers often have a dilemma when
deciding the appropriate tier for applying these application concerns. As a result, they
often end up using a low-level Java EE platform security API or the Java Transaction API
in their code. The core application concerns such as presentation and business logic are
soon bloated because of mixing transaction and security code. Hence, I decided to dedi-
cate this chapter to discussing design strategies to counter these crosscutting concerns
with the Spring Framework.
The Java EE specification and the Java Authorization and Authentication Service
( JAAS) API tries to standardize security services. But they are limited in features and
unsuitable for the majority of the applications. The server vendors implement container
security in a proprietary way, resulting in vendor lock-in and limited portability. JAAS, on
the other hand, just provides a standard interface. The container support for JAAS too
lacks any consistency. So, development teams generally resort to a custom solution,
which consumes a significant portion of their development time. Spring Security, which
was earlier known as Acegi Security, is an easy-to-use and flexible security framework
that works irrespective of any container. It is based on the Spring IOC container and
223
