Lecture 6 Flashcards
Enterprise software requires security to:
Authentication, authorization/access control, non-repudiation
JavaEE security mostly proudes by respective containers which are:
Web container for servlets, EJB container for EJBs
What Java SE security is relevant to enterprise?
Java Secure Sockets Extension
Most Java EE security tools work on…
The application level, they affect an individual application only.
Securing apps using web or EJB container is done by:
Editing configuration files, securing individual components by @annotations, and adding security programmatically (not recommended)
How’s repair securing web container:
Specify legitimate users and their passwords, specify roles and rights, specify which resources should be protected and how.
What is the deployment descriptor?
It is the web.xml file i directory WEB-INF of the dynamic web project.
What are added to the deployment descriptor?
Security constraints: web resource collection, authorization constraint, user data constraint
What is declarative security?
Use of @annotations and a deployment descriptor.
Give three security annotations:
@ServletSecurity, @HttpConstraint and @HttpMethodConstraint,
What port is standard for SSL connections?
8443
To add annotations to EJB you need to create what kind of file?
An app.xml file added to the META-INF directory. Also an ejb3.xml. Also a users.properties and roles.properties. Finally modify standalone.xml
How do you call a protected EJB method from an EJB client?
Usual way: Use a secure servlet. The user authenticates when calling Servlet. Alternate way: pass username and password programmatically to EJB.
Why is enterprisesoftware prone to security risks?
Java itself is prone with Oracle often closing 50+ security issues in an update, apps are used by multiple users (most of which are not trusted), apps are distribute and accessible via Internet, complex and large,
