Javaee security notes

Refer to the security chapter of java ee 6 tutorial for study notes
Java ee applications are divided into multiple tier (layers), the client layer is a browser, the web layer is jsp, jsf, and so on, the business layer is ejb, And the db layer is jpa, jdbc, etc.
The container of different tier provides security
Security is divided into two types: declarative and programmatic.
 
Assume that the declarative xml method is used, it is expressed in dd (or annotation)
Web tier dd is web. xml
Ejb dd is ejb-jar.xml
(Note: annotation is classified in declarative, but it has the characteristics of programmatic, Which is omitted here)
 
 
Assuming that the programmatic method is used, there are eight methods available:
EJBContext. isCallerInRole
EJBContext. getCallerPrincipal
HttpServletRequest. authenticate
HttpServletRequest. getAuthType
HttpServletRequest. getUserPrincipal
HttpServletRequest. isUserInRole
HttpServletRequest. login
HttpServletRequest. logout
 
Security of Glassfish (one copy of glassfish admin guide is available)
 
You can use the glassfish admin console to create user and admin-user.
You can use a tool to create a cert certificate.
 
In EJB
Use @ DeclareRoles to define roles
Use @ RolesAllowed to control role access to controlled resources
 
 
In servlet
Use @ HttpConstraint and @ ServletSecurity to define and control access to controlled resources
 
 
When developing a jee app, app developers need to consider roles at any time, but do not need to know the user category in the realm of the glassfish server, that is, the groups
The groups of app roles and server users can perform mapping. If the names are exactly the same, use the default principal-to-role.
 
 
This article is from the "meng_xx" blog