Implementing security for Web applications is a mandatory task for architects and Web application developers. In J2EE, the Web containers have support for built-in security mechanisms for their applications.
There are two major components of Web application security: authentication and authorization. J2EE-based Web containers offer three types of authentication mechanisms: basic, form-based, and mutual authentication. Most Web applications use the form-based authentication mechanism, since it allows applications to customize the authentication user interface. Web containers implement authorization on Web resources of applications, using security roles defined in the deployment descriptor of the Web application.
There are three issues that software architects and software developers come across using the form-based authentication mechanism:
- How the form-based authentication works with other security realms, such as database and LDAP (this is necessary because most organizations may already have authentication information in database or LDAP form).
- How to add or delete authorization roles declared in the deployment descriptor (
web.xml
) of the Web application. - Web containers enforce authorization at Web resource level; however, an application needs to enforce authorization at its functionality level within a single Web resource.
Despite the fact that there is plenty of documentation and many examples available for form-based authentication, none of them clarifies these issues. Hence, most applications have implemented security in their own way.
This article demonstrates how the form-based authentication mechanism works with other security realms, especially the database. It also explains how Web containers use the security roles to implement authorization, and how applications can extend these security roles to protect functionalities within single resource.
For Reading More Please Visit OnJava.com