Securing JEE6 Applications


General J2EE: Securing JEE6 Applications

  1. Securing JEE6 Applications (1 messages)

    There has been alot of heat surrounding Spring vs. JEE6, migrating from Spring to JEE6, and "The Death of Frameworks", etc.  There have been several posts related to migration, yet no-one seems to be addressing security as an aspect of this migration.  JEE6 has made tremendous strides, yet in comparison JAAS still seems to be stuck in the dark ages.  

    Since Spring Security has primarily gained traction due to the cumbersome and restrictive nature of JAAS, what do developers have in mind to secure their JEE6 applications?

    My current solution is to use a combination of Spring Security and Spring AOP.  The combination of JEE6 and Spring Security (which requires a Spring Context), seems like a dirty mashup, but it works.  In essence, calls to EJBs are secured as necessary via annotations and the Security Aspect, using Spring Security as the underlying authentication/authorization mechanism.

    So given all the migration hype, what do you have in mind for securing JEE6 apps?  Are you finally going to migrate from Spring Security to JAAS?  Other alternatives?



    Threaded Messages (1)

  2. No response...[ Go to top ]

    I am a bit curious about this myself. I haven't touched EJB's since J2EE, and I was looking for a solid and simple example of EJB 3.1/JEE 6 security. I would love to see a tutorial for using a DB/JPA as the security store as this is what a lot of smaller companies use. I might be blind, but I couldn't find a good example without using and alpha version of Seam Security with Picket Link. with EJB 3 the Java team has simplified a lot of things, but security setup doesn't seem to be one of them.

    So, rant over. I am curious how people have got on using Spring Security with EJB's? Are there any real concerns using this approach?