In my previous blog (Securing web applications - Introduction), I have introduced security in general and some important terminologies on security.
There are different kind security concepts exists. Application security, Network security and to name a few. I am referring to ‘Application security’ here.
In this article, we will see:
- Custom security vs container security implementations
- What is J2EE security model?
- Types of different custom security implementation methods
- How to implement using J2EE security?
- Some samples
Application security:
Application security is performed by an application or by frameworks or container for an application with respect to users of the application. User could be, the one who logs in and uses the web application.
Container:
is an environment where your application runs. For instance, apache tomcat web server is a web container.
Since the login page is added to your application, security is becoming vital part of your application.
You can use container provided security specifications and/or custom security implementations (you have to write one).
Application security was handled by custom coding earlier days. Though it was time consuming, it has good flexibility. Each web application had a custom way of authenticating and authorizing users.
Developers will build components to handle authentication, authorization and any other functions that supports security implementations.
After JAAS - Java Authentication and Authorization Service, industry gained a lot of interfaces and methods, the developers could leverage and can standardize the security implementations.