Security Considerations for Container Providers
Any sound specification should be backed by a solid implementation that adheres to the specification; is secure, reliable, and administrable; and performs well. A J2EE container implementation should provide these qualities while adhering to the J2EE specification. This chapter discusses security considerations that a container provider should take into account while designing and implementing a J2EE container. This chapter also provides an approach to implementing a container runtime by making use of available technologies, including Java security technologies. For example, authentication, authorization, and delegation facilities within a J2EE container can be implemented based on existing Java security technologies.
This chapter starts by discussing the environment in which J2EE containers are deployed and then discusses how JAAS LoginModules can provide a modular and pluggable mechanism to achieve authentication. Authorization implementation comprises administration facilities and a runtime implementation. This chapter discusses an interpretation of security roles as a set of permissions and explains how to achieve better administration, as well as the abstraction of various organizational roles that are involved in application development, deployment, and administration.
|
