HTML and CSS Reference
Figure 11-1. Example of an IDE (NetBeans) that has a built-in profiler
Using session-scoped beans also adds to complexity of session replication when operating in a clustered
environment. In clustered environments the traffic would typically be balanced between the available nodes in the
cluster. Even though the cluster tries to ensure that a single user session is served from the node where it was started,
you still have situations where a node fail and the traffic must be redirected to another node. To avoid the user session
being lost during node failure, sessions must be set up to replicate between the nodes. Luckily, this is taken care of by
the application server, but it is an additional issue that must be addressed when using session-scoped beans.
Many applications require securing some or all features with a username and password or through client certificates.
The creators of the Java EE specification have defined a container-managed security framework that makes it easier
for application developers to secure their application. Alternatively, the application developers will implement a
custom security model, also known as application-managed security. Implementing application-managed security
requires significant effort and skill, and in the end it may not provide any features or protection that is not already
achievable through container-managed security.
Container-managed security is based on a model where resources (URLs) are protected by defined user roles.
Upon logging in, users are assigned to user roles and the rest is taken care of by the application server. The only thing
the application developer has to be concerned about is defining which resources are protected by which user roles.
When the container detects that the user is not authorized to access a requested resource, it will automatically direct
the user to a login mechanism. The login mechanism could be basic authentication, form authentication, or client
certificate authentication. Basic authentication will prompt the user for a username and password through the native
username and password dialog in the browser. Form authentication allows the application developer to provide her
own login form, which as a minimum must include an input field for username and password. Lastly, client certificate
authentication uses X.509 certificates to perform public key authentication. The rest of the security infrastructure