Professional Documents
Culture Documents
Security Summary
Security Summary
descriptors.
Done via XML configuration files Done using API calls within the code, e.g., using
@RolesAllowed. servlets.
Flexibility and Less flexible as it relies on More flexible and dynamic since it allows
Realms policy domain" that manages a set of users application, handling the security for company
Roles are assigned to groups or users to Role for Group1 (Sales): Access to sales
Roles define their permissions and access levels data<br>Role for Group2 (IT Support): Admin
Realm Description
file Uses file-based authentication; user credentials are stored in a file (e.g., keyfile).
Permissions assigned to Role for admins: full access to server resources<br>Role for
Role
groups or users. developers: limited access to development resources
Principal:
● Definition: A principal typically represents an entity (like a user, device, or
system) that can be authenticated in a security system. In most cases, a
principal is identified by its unique name or identifier.
● Example: Consider a user named "Alice." In a computer system, "Alice" is
the principal. It's her unique identity in the system, distinguishing her from
other users.
Credential:
● Definition: A credential is a piece of information or data that is used to
verify the identity of a principal. It's something that the principal knows or
possesses, which can be used to prove their identity.
● Example: If Alice's account is protected by a password, that password is
her credential. When she logs in, she provides her username ("Alice" - the
principal) and her password (the credential) to prove that she is indeed
Alice.
● Think of a principal as your name (like your identity card) which identifies who
you are.
● A credential is like the PIN to your ATM card; it's a secret that proves the card
belonging to your name is being used by you.
Usage in
Applied at the
bean.
Applied at the
class or method
level. If at the
level, it applies
only to that
method.
Applied at the
callers.
Applied at the
class or method
level. If at the
class level, it
Indicates that all security
applies to all @PermitAll public void
@PermitAll roles are allowed to
methods; if at openAccessMethod() { ... }
access the method.
the method
level, it applies
only to that
method.
Used within a
session bean
or tracking
purposes.
Used within a
session bean
A method that checks if public void someMethod() { if
isCallerInRole(String method to
the caller belongs to a (sessionContext.isCallerInRole("
roleName) check if the
specific security role. Admin")) {
caller has a
certain role.
1. Encryption
Usage Scenario: When you need to securely transmit or store data so that only
authorized parties can access the original content.
2. Cryptographic Hashing
Usage Scenario: When verifying data integrity or storing passwords.
● Description: Convert data into a fixed-size hash. The process is one-way and the
original data can't be retrieved from the hash.
● Description: Use the same key for both encryption and decryption. Common
algorithms include AES.
● Description: Use two keys - a public key for encryption and a private key for
decryption. Common algorithms include RSA.
5. Generating KeyPair in Java SE
Usage Scenario: When setting up asymmetric encryption.
● Description: Encrypt data with the recipient's public key. The recipient then
decrypts it with their private key.
● Description: First, hash the data. Then, encrypt the hash with a private key (digital
signing).
● Description: Encrypt and decrypt data using the same key, managed securely.
10. Salted Message Digest of Password
Usage Scenario: For securely storing user passwords.
● Description: Encrypt credit card details before storing or sending. Use either
symmetric or asymmetric encryption based on the context.