Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Declarative vs Programmatic security  RSS feed

 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all!

I'm going to develope for the first time a web application using JEE with Servlets, and for the user's authentication and authorization I'm going to use container-managed security, as recommended by the JEE 6 tutorial, in a typical fashion: the user presents username/password once for the login, and next he/she presents a session id within a cookie. Finally, he/she can logout.

My question is: is it possible to achieve that only with declarative security, or am I forced to use programmatic security?

Thanks in advance!
 
K. Tsang
Bartender
Posts: 3629
16
Firefox Browser Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm sure most of the settings can be done declaratively through the web.xml deployment descriptor.

As you can see from the Java EE tutorial, not everything can be done declaratively. Sometimes in combination with programmatic or annotations.
 
Ivan Jozsef Balazs
Rancher
Posts: 992
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you do not need several roles and no application logic depends on them, there is only the login protection, that can be done via only the declarative way.

You might need the name of the user logged in, and that needs some programming.

HttpServletRequest.getRemoteUser()
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can guard URLs declaratively.

You can augment that with programming to do things like use a common form where certain sets of users can all access the page, but not all users can fetch/store all items managed by the page. For example, I've done apps which supported auditors who could read but not update as well as the line workers who normally entered data on the page and managers who could possibly do things that line workers could not.

Beyond that, it is also possible to add secondary security subsystems of your own devising (or third-party ones like Spring security). The J2EE security framework provides the coarse-grained "brute force" security - the castle moat, walls, and drawbridge (login). The secondary security allows fine-grained control above and beyond what a small number of security roles make convenient.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!