Object Oriented application development provides developers to divide application into different layers such as database layer, business layer, presentation layer … etc. Multi layer application development approach provides easy to develop and maintain large scale projects. However, this approach addresses one of the most important issue, security.
Java EE consists of components ejb, web, web services, application clients … etc. Each of these components can be deployed into different containers or same container. Security is handled by the containers; a container provides programming or declarative security. Programming security is embedded control mechanism that is used when declarative security is insufficient. Declarative security defines applications security configuration out of the application via configuration files. Also, annotations define set of security rules by class files.
Java provides some security implementation mechanisms like;
- JAAS: Java Authorization and Authentication Service consists of APIs to enable authorization and access control against to agents (user, account, service … )
- Java GSS: Java Generic Security Services consists of APIs to enable securely exchange messages between applications.
- JCE: Java Cryptography Extension provides framework implementations for encryption, key generation, key agreement and (MAC) Message Authentication Code algorithms.
- JSSE: Java Secure Socket Extension provides implementation for a Java version of SSL and TLS protocols.
- SASL: Simple Authentication and Security Layer a protocol for authentication and optional establishment of a security layer between client and server applications.