Glenn Nielsen wrote:
>
> Antony Bowesman wrote:
> >
> > > 8. Security
> >
> > How about
> > 8.1 Concepts - Explanation of J2EE and Java 2 security models
> > 8.2 Authentication with Realms
> > 8.2.1 Simple realm
> > 8.2.2 JDBC Realm
> > 8.2.3 Custom realms
> > 8.3 Authorization
> > 8.3.1 J2EE role based
> >
> > In particular, it should try to explain in simpler terms than the API
> > spec how J2EE roles are designed to work, covering the mapping from
> > developer roles to deployment roles.
> >
> > 8.3.2 Java 2 security policy
> >
>
> I would break the above into two sections.
>
> Access Control (for all the Realm based access control)
>
> and
>
> Server Security (for configuring and using Tomcat with the Java
> SecurityManager)
>
> These really are two completely different topics. And use of
> Realms isn't "Security", it is "Access Control".
Not sure I'd agree with your removal of Java Security Manager from a
chapter about access control. The first line of the JavaTM 2 Platform
Security Introduced: document at
http://java.sun.com/j2se/1.3/docs/guide/security/index.html
says
* Policy-based, easily-configurable, fine-grained access control....
Access control is one element of securing a server, as is
authentication, encryption, non repudiation, SSL etc.
Access control is performed by Java 2 security manager as well as J2EE
and they compliment each other. JAAS (JDK1.3 extension) which extends
the Java 2 model and which is now included in JDK1.4 extends the Java 2
security model to provide principal based access control on top of code
source. So access control is firmly part of Java security.
There should be additional sections on 'server security' that includes
configuring the server for use with SSL.
Antony
