Java Reference
In-Depth Information
heavily relies on its DI and AOP features. It provides declarative security to web requests
and business methods. It is highly extensible and provides out-of-the-box components
that cover almost every custom security need. In this chapter, I will apply Spring Security
in the context of some frequently used Java EE security patterns described in the topic
Core Security Patterns
by Christopher Steel, Ramesh Nagappan, and Ray Lai (Prentice
Hall, 2005).
Unlike with security, the Java EE containers provide robust support for distributed
transactions involving a variety of middleware and database servers. The Java EE specifi-
cation supports both the programmatic and declarative modes of transaction control.
The declarative transaction control is highly flexible and can be controlled by configura-
tion. Programmatic transaction management, on the other hand, can be very cumber-
some to develop and maintain. In this chapter, I will focus more on transaction strategies
primarily based on Spring AOP support and in the process explore some patterns dis-
cussed in the topic
Java Transaction Design Strategies
by Mark Richards (Lulu.com, 2006).
In this chapter, I will heavily use AOP concepts. I will also call upon the Spring
Framework's AOP support for several examples. If you are new to AOP, then get started
with the topic
Foundations of AOP for J2EE Development
by Renaud Pawlak, Jean-
Philippe Retaillé, and Lionel Seinturieris (Apress, 2006). Also, you should read the Spring
AOP documentation at
http://static.springframework.org/spring/docs/2.5.x/reference/
aop.html
.
Authentication and Authorization Enforcer
Problem
The eInsure application handled sensitive information related to policies purchased by
thousands of people. It also managed crucial business intelligence data that was accessi-
ble to the senior management of the companies using this product. So, it was important
that eInsure allowed only trusted parties to access data to prevent any kind of data loss or
tampering.
The common strategy used by an enterprise application to establish trust with exter-
nal users or systems is known as
authentication
. In the authentication process, the
system asks a user one simple question: “Who you are?” The user will respond by supply-
ing a principal (username) and credential (password). The system verifies the
principal-credential combination, and if a match is found, the user is allowed to access
the system. Note that authentication does not guarantee that the user has access to sys-
tem resources. It merely unlocks the door to the web resources.
