CODEWITHSUNDEEP
authenticationjakarta-ee
Hugo G
Hugo G

Reputation: 16496

Service-based security with Java EE

All Java EE authorisation techniques I've seen so far are for the view layer only - mostly based on JSF. You basically restrict access to certain URL patterns or JSF components.

However, I'd prefer to have my security layer on the services. My layers are looking something like this:

Since the services are a proxy to my business logic and contain no logic by themselves, I'd like to use them for access control. This way I wouldn't need to implement the security for each view technology separately or watch out for URL patterns (which are terrible to maintain).

My preferred solution would be annotations for classes or methods on the services. If some view code tries to access them without permission, it gets an exception (which is handled and should forward to a login form).

Is there anything like this I could use?

Upvotes: 0

Views: 77

Answers (1)

John Bollinger
John Bollinger

Reputation: 180351

My preferred solution would be annotations for classes or methods on the services. If some view code tries to access them without permission, it gets an exception (which is handled and should forward to a login form).

Is there anything like this I could use?

Yes. What you are already familiar with is called "application-level" security, and it is indeed common. But Java EE has long provided built-in declarative mechanisms as an alternative or adjunct; these can be operative at the web application level or at the component level. The details are far too extensive to describe here, but the Java EE tutorial has three chapters covering them. You would probably want to start with the overview.

At a very high level,

  • Declarative security requirements have traditionally been expressed in deployment descriptors. Details vary with the type of component or application being secured.

  • Since at least Java EE 6, some security declarations can also be made via annotations in component sources.

  • The main built-in mechanism for user authentication and authorization is, appropriately, Java Authentication and Authorization Services (JAAS). This is actually a Java SE technology, so you can use it for regular applications, too. If you've ever worked with Solaris's / Linux's Pluggable Authentication Modules (PAM) subsystem then JAAS will feel familiar in concept.

  • Some Java EE containers and some application frameworks provide their own security mechanisms; if your circumstances allow you to consider such things then it is worth having a look.

Upvotes: 4

Related Questions