Java Reference
In-Depth Information
Chapter
7
Developing a Bulletproof
Access Control System for
a Java Web Application
Access control is one of the basic constituents of a strong information security practice. Access
control ensures that only authenticated and authorized individuals can gain access to sensitive
information. his chapter delves deeply into access control and its elements, authentication and
authorization. he various concepts of access control are explained in detail. Details on various
access control models are also provided. his chapter then focuses on the access control best prac-
tices for Web applications and also provides a view of security compliance requirements that are
related to access control. Finally, the chapter dives deep into the development of a strong access
control system with the new Java EE.
7.1 overview of Access Control Systems
7.1.1 A Brief History/Evolution of Access Control Mechanisms
he terms
authentication
and
authorization
are often used interchangeably. However, they mean
two diferent things entirely. Authentication can be deined as
the process of identifying and proving
the identity of an entity/user to a system
. Authentication is a method by which a user is identiied by
the system as an actual user of a system and is allowed to access the said system. Authentication
aims at answering two important questions before providing the user access to the system. he
questions are “Who is the user?” and “Is the user really who he/she claims to be?” For instance,
when we access our emails on the Internet every day, we provide a username and a password.
he username identiies the user to the system and answers the irst question of authentication,
“Who is the user?” he user in an email system would have a particular
username
used to identify
himself or herself. he
password
is the authentication parameter that answers the question, “Is the
user really who he/she claims to be?” When a user enters the right password into the system, the
131
Search WWH ::
Custom Search