I am starting to look at security for my JEE 6 /EJB 3.1 application. I have to say there is plenty of information on authorization for EJB 3.x (for instance what methods/urls a user has access to etc) but very few simple articles on authentication and identity management (creating new users etc). Authentication isn't really part of the JEE spec as such, although all JEE 6 servers support JAAS.
Using a new library that handles identity management (PicketLink) sounds great, but I don't want to be stuck in a couple of years time replacing it because it is out of fashion. I also want to try not to use Spring Security, I want to stick with JEE standards (even though Spring Security is a pseudo standard).
I hope to follow this up with how I managed to get authentication setup using JAAS and probably JDBC/Database credentials, and how I create new users.
As a side note, I found a good article for Seven Security (Mis)Configurations in Java web.xml Files. Definitely worth a read.
No comments:
Post a Comment