Web components like Java servlets or JavaServer Faces pages of the Java EE platform enhance the possibilities of the web server providing dynamic extension.
The interaction between a web client and a web application works in a following way:
Web client sends HTTP request to a HttpServlet Request – Web components – (Java Beans Database) – Database. Or Web components give HttpServlet response that transforms in HTTP Response that returns to the Web client.
App security for Java can be configured after the installation of the app or when the app is deployed. Annotations and deployment descripts give info about the security of the app so it is essential to specify that information. In that case deployer will be able to set the appropriate security policy to the web app.
How to implement the security for Java EE web applications?
- Declarative security through the metadata annotations or an application’s deployment descriptor. You can find detailed information in our previous articles concerning security of web apps.
- Programmatic security can be used to make security decisions. Declarative security cannot be effective when working alone as it has no possibilities to fully express the security model of the app as it better works in the middle of the workflow of the app. Programmatic security works better with the login and logout methods. When you use Servlet 3.0 for the authenticate and log in and out methods, then it is not necessary to use deployment descriptor.
- Message Security is the best choice when working with digital signatures and encryption, headers of a SOAP messages as it ensures the end-to-end security. Despite the fact that message security is not an integral part of Java EE 6, it is essential to use it, as it is an efficient way to protect your application.