Application-Layer Security

In Java EE, component containers are responsible for providing application-layer security, security services for a specific application type tailored to the needs of the application. At the application layer, application firewalls can be used to enhance application protection by protecting the communication stream and all associated application resources from attacks.

Java EE security is easy to implement and configure and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and protect data only while it is residing in the application environment. In the context of a traditional enterprise application, this is not necessarily a problem, but when applied to a web services application, in which data often travels across several intermediaries, you would need to use the Java EE security mechanisms along with transport-layer security and message-layer security for a complete security solution.

The advantages of using application-layer security include the following.

• Security is uniquely suited to the needs of the application.

• Security is fine grained, with application-specific settings.

The disadvantages of using application-layer security include the following.

• The application is dependent on security attributes that are not transferable between application types.

• Support for multiple protocols makes this type of security vulnerable.

• Data is close to or contained within the point of vulnerability.

For more information on providing security at the application layer, see Securing Containers.