J2EE Security
This chapter describes the security requirements for the Java™ 2 Platform, Enterprise Edition (J2EE).
The J2EE product provider is responsible for determining the level of security and security assurances afforded by their implementation. However, a J2EE product provider is required to satisfy the requirements specified in this chapter.
J2EE.3.1 Introduction
An enterprise contains many resources that can be accessed by many users. Sensitive information often traverses unprotected open networks (such as the Internet). In such an environment, almost every enterprise has security requirements and specific mechanisms and infrastructure to meet them. Although the quality assurances and implementation details may vary, they all share some of the following characteristics:
-
Authentication: The means by which communicating entities prove to one another that they are acting on behalf of specific identities (e.g., client to server and/or server to client).
-
Access control for resources: The means by which interactions with resources are limited to collections of users or programs for the purpose of enforcing integrity, confidentiality, or availability constraints.
-
Data integrity: The means used to prove that information could not have been modified by a third party (some entity other than the source of the information). For example, a recipient of data sent over an open network must be able to detect and discard messages that were modified after they were sent.
-
Confidentiality or data privacy: The means used to ensure that information is made available only to users who are authorized to access it.
-
Non-repudiation: The means used to prove that a user performed some action such that the user cannot reasonably deny having done so.
-
Auditing: The means used to capture a tamper-resistant record of security related events for the purpose of being able to evaluate the effectiveness of security policies and mechanisms.
This chapter specifies how the J2EE platform addresses some of these security requirements, and identifies those requirements left to be addressed by J2EE product providers. Issues being considered for future versions of this specification are briefly mentioned in Section J2EE.3.7, “Future Directions.”