Securing enterprise applications
You can provide security for your Java™ EE enterprise application using annotations or using deployment descriptors.
Security is very important in the Java EE environment, and is accomplished through authentication and authorization. Authentication verifies the identity of a given user, typically by requiring the user to enter a username and password. In the Java EE environment, authentication is associated with a realm. The realm can store user identity information in many ways, including files, LDAP directories, and even databases accessed through JDBC. Authorization grants access control permissions based not only on what software is running but also on identity of the authenticated user who is running it. Each time a user logs in, he or she is granted a set of permissions for each application.
Prior to Java EE 5, if you wanted to use authorization for a given application, you needed to specify authorization information in the application deployment descriptors ejb-jar.xml or web.xml. One of the main focuses of Java EE is to simplify development of Java EE applications. Starting in Java EE 5, developers can specify annotations in Java source files instead of putting metadata in deployment descriptors. Annotations simplify the development of Java EE applications, shortening development cycles and reducing the total cost of ownership. You can secure your enterprise application using annotations, or, if you prefer, using deployment descriptions.
You can secure your enterprise application using annotations, or, if you prefer, using deployment descriptions. For a web module, you still need to specify a <security-constraint> in the web.xml application deployment descriptor in order to have authorization constraints, just as you did in J2EE 1.4. In the Java EE 5 environment, the permissions-related annotations are only defined for EJB modules. For EJB security, see Securing EJBs
Related concepts
Developing Java EE Applications
Creating and configuring Java EE modules using annotations
Developing EJB 3.0 Applications
Differences between EJB 3.0 and EJB 2.1
Deploying EJB 3.0 applications
Related tasks
Creating Java EE projects using wizards
Validating code in enterprise applications
Deploying Java EE applications
Migrating the specification level of Java EE projects
Using annotations to secure Java EE applications
Defining security roles for enterprise applications using deployment descriptors
Adding users to security role bindings
Adding groups to security role bindings
Adding security role "run as" bindings