Java EE comes with a mature security model that provides for the guaranteed features that have to be supported by all compliant application servers: authentication, authorization, confidentiality, and integrity. Though not yet required by the specification, most high-end application servers also support some sort of auditing of security-related events and non-repudiation – in other words a way of preventing an invocation sender from denying responsibility for the action – for communicating with Web Service components.
Authorization is based on logical security roles that are simple names defined by the component provider or application assembler in XML deployment descriptors. The code underneath all Java EE components – JSPs, servlets, and Enterprise JavaBeans – can be restricted declaratively based on logical security roles.
In the case of EJBs, access can be limited on an Enterprise Bean´s method level, whereas access to JSPs and servlets is enforced based on their URL and the HTTP method utilized (e.g. POST, GET, etc.). Besides declarative authorization, programmatic authorization is also supported so that a component´s code can dynamically inquire whether the security context of the current user is associated with a particular logical security role and make a decision based on this analysis.
How a given principal is actually mapped to a set of security roles depends on the Java EE notion of a security domain and the principal authentication mechanisms associated with the domain.Read Full Story