Security Architectures

Start course
2h 6m

This course takes an in-depth look at security in Java Enterprise Edition. We'll cover a wide range of topics as listed below. Finally, we'll round off the course by taking a look at some example exam questions similar to those you can expect to find on the Oracle Certified Java EE exams.

Learning Objectives

  • Understand the fundamentals of security in Java EE
  • Learn the following concepts and features:
    • Securing GlassFish server
    • Working with users, groups, and roles
    • SSL
    • Securing your web applications
    • Securing enterprise beans
    • Digital certificates
    • Security architecture
    • Security threats
    • And much more...

Intended Audience

This course is intended for anyone who already has basic knowledge of Java and now wants to learn about Java Enterprise Edition.


Basic knowledge of Java programming


Security Architectures. We need to repeat some security definitions. Principal; the principal is a uniquely identified person or system that can be authenticated by a security module before system access is permitted or denied. Authentication; is the process of confirming that unidentified principal is who they claim they are. This is typically with the principal supplying a username and password. Authentication can also take place using biometrics like retina scan or fingerprint recognition. Java EE Server application servers come with support for the following authentication methods. HTTP basic authentication, SSL mutual authentication, HTML form-based authentication. In HTTP basic authentication, the web server authenticates the username and password entered within a browser.

In SSL mutual authentication, the client and server use X509 certificates to establish identity over a secure socket layer channel. In HTML form-based authentication, a developer creates an HTML form to capture identification information. Authorization; authorization is the process where an authenticated principal is permitted or prevented access to a resource based on the permission set up, directly or indirectly through membership to a group or associated role. The Java EE Platform uses a role based access control mechanism. A principal can be associated with one or more roles and these roles can have zero or more permissions assigned to them. By the way, a principal actually is very similar to a citizen. A citizen can have multiple roles and multiple permissions in daily life, and with his or her roles grant authority to do some operations. Protecting Messages; messages can be transmitted either in encrypted form or in clear form with a message signature attached.

Auditing or logging; it is required to help document when a system is under attack. When steps are taken to prevent it, subsequent logging can demonstrate if the issue has been remediated. Cryptography is the name given to the techniques that allow information to be temporarily transformed as it passes through public view, making it unreadable. There are two forms of cryptography, symmetric and asymmetric. Symmetric Cryptography; the key used to transform a message between its original and encrypted form is shared by the sender and recipient. 

The major consequences being: Key must be securely shared between sender and recipient, algorithm that uses the key to transform data is not considered a part of the security system and may be made public. There is a demand on system resources to encrypt and decrypt information. Asymmetric Cryptography is also commonly known as public key cryptography. Contrary to the single key used in symmetric cryptography, this form uses two mathematically related keys. One known as public and one secret as private. The known key is used to encrypt plaintext or to verify a digital signature. The secret key is used to decrypt ciphertext or to create a digital signature.


About the Author
Learning Paths

OAK Academy is made up of tech experts who have been in the sector for years and years and are deeply rooted in the tech world. They specialize in critical areas like cybersecurity, coding, IT, game development, app monetization, and mobile development.

Covered Topics