Enterprise application security

You can provide security for your Java™ EE enterprise application using annotations or using deployment descriptors.

Security is important in the Java EE environment, and is accomplished through authentication and authorization. Authentication verifies the identity of a given user, typically by requiring the user to enter a user name and password. In the Java EE environment, authentication is associated with a realm. The realm can store user identity information in many ways, including files, LDAP directories, and even databases that are accessed through JDBC. Authorization grants access control permissions that are based not only on what software is running but also on identity of the authenticated user who is running it. Each time a user logs in, he or she is granted a set of permissions for each application.

Before Java EE 5, if you wanted to use authorization for a given application, you needed to specify authorization information in the application deployment descriptors ejb-jar.xml or web.xml. One of the main focuses of Java EE is to simplify development of Java EE applications. Starting in Java EE 5, developers can specify annotations in Java source files instead of putting metadata in deployment descriptors. Annotations simplify the development of Java EE applications, shortening development cycles and reducing the total cost of ownership.

You can secure your enterprise application using annotations, or, if you prefer, using deployment descriptions. For a web module, you still need to specify a <security-constraint> in the web.xml application deployment descriptor in order to have authorization constraints, just as you did in J2EE 1.4. In the Java EE 5 environment, the permissions-related annotations are only defined for EJB modules. For EJB security, see Securing EJBs