use a mix with declarative for some beans and programmatic for others. Let's start by ex-
amining one of the fundamental concepts: authentication and authorization.
The Open Web Application Security Project (OWASP) is a nonprofit organization focused
on improving web application security. They have many excellent resources documenting
how to secure and verify the security of your Java EE applications. They also provide an
example Java EE application, WebGoat, which demonstrates how not to write a web ap-
plication. This application is open source and includes documentation explaining the vari-
ous security mistakes in the application and how they're exploited and fixed.
6.4.1. Authentication versus authorization
Securing an application invokes two primary functions: authentication and authorization.
Authentication must be done before authorization can be performed, but as you'll see, both
are necessary aspects of application security.
Authentication is the process of verifying user identity. By authenticating, you prove you
are who you claim to be. In the real world, this is usually accomplished through visual in-
spection/identity cards, signatures/handwriting, fingerprints, or DNA tests. In the comput-
ing realm, authentication is usually accomplished through a username and password.
Authorization is the process of determining whether a user should have access to a particu-
lar resource or operation. Authorization is preceded by authentication—only after a user is
authenticated can you check their authorization. In an open system, an authenticated user
can access any resource or operation. Most systems, however, restrict access to resources
based on user identity. Although there might be some resources in a system that are access-
ible to all, most resources are restricted to a small subset of users. Both authentication and
authorization are closely tied to users, groups, and roles, which we'll look at next.