What is declarative and programmatic security?

Declarative Security - Declarative security specifies an application's security requirements by using either deployment descriptors or annotations.

Programmatic Security - Programmatic security implements an application's security within the application code.

What are the key characteristics of application security?

Following are the key characteristics of application security.

Authentication - Authentication is the means by which a user or client proves to a server that it is authorized to access a specific resource and vice-versa.

Authorization - Authorization is the means by which a server determines if a user has permissions to access a specific resource or data.

Data Integrity - Data integrity means that the data that is exchanged by a client and server is not modified by an unauthorized third party.

Confidentiality or Data privacy - This ensures that information is send to only those users or clients that are authorized to access the data.

Non-repudiation - This means that you can prove that a transaction or action has occurred. So a user who has performed a certain action, cannot deny doing so.

What are some of the security features and APIs provided in Java SE?

Java Authentication and Authorization Service (JAAS) - Java SE provides the JAAS API which enable services to authenticate and enforce access controls. JAAS forms the underlying and base technology for Java EE security mechanisms.

Java Generic Security Services (JGSS) - Java SE provides the JGSS API which is used to securely exchange messages between applications by using tokens.

Java Cryptography Extension (JCE) - Java SE provides the JCE API which provides a framework and implementation for encryption, key generation and key agreement.

Java Secure Sockets Extension (JSSE) - Java SE provides the JSSE API which provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. JSSE includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.

Simple Authentication and Security Layer (SASL) - SASL is an Internet standard that specifies a protocol for authentication and optional establishment of a security layer between client and server applications.

Java SE also provides a set of tools for managing keystores, certificates, and policy files; generating and verifying JAR signatures; and obtaining, listing, and managing Kerberos tickets.

What are some of the security mechanisms provided in Java EE?

Java EE provides three different security mechanisms based on the layer at which the security has to be applied.

Application-Layer Security - In Java EE applications, the application-layer security is provided by the component containers.

Transport-Layer Security - Transport-Layer security is provided by the transport mechanism used to transmit data between the client and server. Java EE application relies on the secure HTTPS protocol using Secure Sockets Layer (SSL).

Message-Layer Security - Message-Layer security secures the SOAP messages that are exchanged between client and server using XML web services.

What are Realms, Users, Groups and Roles?

Realms - Realms are security domains or protection spaces setup for web or application servers. Each realm has its own authentication scheme and contains a collection of Users and Groups.

Users - Users are individual or application entities defined in an identity store that access the application resources.

Group - Groups are abstratct entities defined in Java EE that contains a set of users having common traits.

Roles - Roles are are abstratct entities defined in Java EE that has permissions to access a set of secured resources in an application. Users or Groups are mapped to Roles.

How do you secure web applications?

Java web applications can be secured by either declarative security or programmatic security. Declarative security can be setup either in the deployment descriptor or via annotations.

What are security constraints in Web applications?

Security constraints define access privileges to a collection of web resources using their URL mappings.

If an application uses servlets, the security constraint can be set by using the annotations @HttpConstraint and @HttpMethodConstraint within the annotation @ServletSecurity.

If an application does not use servlets, the security constraint can be set using <security-constraint> element in the deployment descriptor.

<security-constraint> contains the following sub-elements. <web-resource-collection>, <auth-constraint>, and <user-data-constraint>.

<security-constraint>
 <web-resource-collection>
  <web-resource-name>employee</web-resource-name>
  <url-pattern>/secure/employee/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>MANAGER</role-name>
 </auth-constraint>
 <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

What are the authentication mechanisms used to secure web applications?

Http Basic authentication

Form-based authentication

Digest authentication

How do you specify the authentication mechanism in web applications declaratively?

Authentication mechanism for a web application can be defined using the element in web.xml deployment . The sub-element configures the authentication mechanism and its value can be BASIC, DIGEST, FORM or CLIENT-CERT.

The sub-element indicates the realm name to use when the basic authentication scheme is chosen for the web application.

The sub-element specifies the login and error pages that should be used when form-based login is specified.

 FORM
 
  /login.html
  /error.html
 

How do you specify security roles in web applications declaratively?

The element contains the element which specifies the role that has access to this protected resource.

You can use the element to define roles that are used in the application. These roles can also be used to map to users and groups defined in the application server.

 manager

How do you specify the authentication mechanism in web applications programmatically?

Sometimes declarative security alone is not sufficient to specify the complete security requirements of an application. Programmatic security is used in addition to declarative security in such cases.

HttpServletRequest interface provides following methods that can be used to authenticate users for a web application.

authenticate

login

logout

How do you declare security roles in web applications?

How do you secure an enterprise bean programmatically?

How do you secure an enterprise bean declaratively?

What are digital certificates? How are they used for securing applications?

What are Server certificates? How are they used to secure applications?

What is the Keystore tool used for?

Client Authentication?

Mutual Authentication?

Mutual Authentication?