Overview of Web App Security

Start course
2h 6m

This course takes an in-depth look at security in Java Enterprise Edition. We'll cover a wide range of topics as listed below. Finally, we'll round off the course by taking a look at some example exam questions similar to those you can expect to find on the Oracle Certified Java EE exams.

Learning Objectives

  • Understand the fundamentals of security in Java EE
  • Learn the following concepts and features:
    • Securing GlassFish server
    • Working with users, groups, and roles
    • SSL
    • Securing your web applications
    • Securing enterprise beans
    • Digital certificates
    • Security architecture
    • Security threats
    • And much more...

Intended Audience

This course is intended for anyone who already has basic knowledge of Java and now wants to learn about Java Enterprise Edition.


Basic knowledge of Java programming


Hello there. In this lesson, we'll talk about Web Application Security. So, let's start. A web application is accessed using a web browser over a network such as the Internet or a company's intranet. As you know, the Java EE platform uses a distributed multitiered application model and web applications run in the web tier. Web applications contain resources that can be accessed by many users. These resources often traverse unprotected, open networks such as the Internet. In such an environment, a substantial number of web applications will require some type of security. 

In the Java EE platform, web components provide the dynamic extension capabilities for a web server. Web components can be Java servlets or JavaServer Faces Pages. The interaction between a web client and a web application is illustrated in this figure. Certain aspects of web application security can be configured when the application is installed or deployed to the web container. Annotations and or deployment descriptors are used to relay information to the deployer about security and other aspects of the application.

Specifying this information in annotations or in the deployment descriptor helps the deployer set up the appropriate security policy for the web application. Any values explicitly specified in the deployment descriptor override any values specified in annotations. Security for Java EE web applications can be implemented in various ways. Declarative security can be implemented using either metadata annotations or an applications deployment descriptor. Programmatic security is embedded in an application and can be used to make security decisions when declarative security alone is not sufficient to express the security model of an application. Declarative security alone may not be sufficient when conditional login in a particular workflow that is required in the middle of an application.

Servlet 3.0 provides the authenticate, log in, and log out methods of the HTTPServletRequest interface. With the addition of the authenticate log in and log out methods to the servlet specification, an application development descriptor is no longer required for web applications, but may still be used to further specify security requirements beyond the basic default values. Message security; works with Web services and incorporate security features such as digital signatures and encryption into the header of a SOAP message. Working in the application layer ensuring end-to-end security. Message security is not a component of Java EE and is mentioned here for informational purposes only. So, that's it for now. Hope to see you in our next lesson. Have a nice day.


About the Author
Learning Paths

OAK Academy is made up of tech experts who have been in the sector for years and years and are deeply rooted in the tech world. They specialize in critical areas like cybersecurity, coding, IT, game development, app monetization, and mobile development.

Covered Topics