J2EE security: Container versus custom

Choose the appropriate type of security for your application

By Brian Pontarelli, JavaWorld.com, 07/26/04

Since the first time a login page was added to a Web application, security has always been one of the key components critical to the success of applications on the Web. Historically, everything was coded by hand. Each Web application had a custom method of authenticating and then authorizing users. Developers also built in components for registration, administration, and any other function needed. Though quite a bit of overhead, this approach allowed great flexibility.

With the advent of JAAS, the Java Authentication and Authorization Service, applications gained a set of interfaces and a configuration they could leverage to standardize those tasks. Even with the addition of JAAS to the specification, J2EE still has a few problems to resolve before application developers can stop creating custom APIs. Choosing between using the J2EE standards or building a custom solution requires knowing the trade-offs of each and, of course, your application's requirements.

This article aims to provide all the information required to decide between custom or container security. I discuss the most common application security functions to provide the necessary background on security. Following that discussion is a detailed explanation of the J2EE security implementations provided by the specifications as well as the most common methods of implementing custom security. After you better understand each of the methods, you should have enough information to choose which method best suits your application's requirements.

What is a container?

Before we discuss the different security types and security implementation concerns, let's review what a container is. A container is an environment in which an application runs. It is also synonymous with a J2EE application server. In terms of J2EE containers, a J2EE application runs inside the container, which has specific responsibilities with respect to the application. There are many different types of J2EE containers and different levels of J2EE support. Tomcat from Apache is a Web container that implements only the Servlet (Web application) portions of the J2EE specification. BEA's WebLogic is a fully compliant J2EE application server, meaning it supports all aspects of the J2EE specification and has passed Sun's J2EE certification tests. If you are unsure of the support your application server provides, contact the vendor for more information.

Application security

Another topic we must cover before we begin is the distinction between application security and other types of security. Application security is security performed directly by an application or indirectly by a framework or container for an application with respect to that application's users. An example of an application user is someone who logs into an online bookstore and purchases a few Java books. Other types of security exist, such as network security and JVM security. One example of those security types is the user who starts a Java process on a machine. Throughout the rest of this paper, whenever I discuss security, I mean application security. The other types of security reach outside this discussion's scope.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next >

Discuss

Start a new discussion or jump into one of the threads below:

Subject	Replies	Last post
error messages in form base authentication By Anonymous	2	04/17/07 12:14 AM by Rakesh_MSc
jGuard fullfils JAAS integration in J2EE By diabolo512	0	10/05/06 06:24 AM by Anonymous
But what about state? By Anonymous	3	10/05/06 05:44 AM by Anonymous
J2EE security By JavaWorld	5	10/05/06 05:44 AM by Anonymous
Content Based Security By Anonymous	3	10/05/06 02:57 AM by Anonymous
Can't get the password out of container / Tomcat 5 By Frerk	7	10/03/06 01:36 PM by Anonymous