Java Reference
In-Depth Information
grant any access control if you don't know who the user is first. The differ-
ence between authentication and authorization is depicted by the follow-
ing diagram:
In Java EE, the component containers are responsible for providing application se-
curity. A container basically provides two types of security: declarative and program-
matic. Let's see them both:
Declarative security : It expresses an application component's security
requirements by means of deployment descriptors. Because deployment
descriptor information is contained in an external file, it can be changed
without the need to modify the source code.
For example, Enterprise JavaBeans components use an EJB deployment
descriptor that must be named ejb-jar.xml and placed in the META-
INF folder of the EJB JAR file.
Web components use a web application deployment descriptor named
web.xml located in the WEB-INF directory.
Tip
Since Java EE 5, you can apply declarative security also by means of
annotations just like we have for other key APIs (EJB, web services,
and so on). Annotations are specified within a class file and, when the
application is deployed, this information is translated internally by the
application server.
Programmatic security : It is embedded in an application and is used to
make security decisions. It can be used when declarative security alone
is not sufficient to express the security model of an application. The Java
EE security API allows the developer to test whether or not the current
user has access to a specific role, using the following calls:
Search WWH ::




Custom Search