Exploring Java SE and Java EE security
In Java, we have distinct security frameworks for Java SE and Java EE. Java SE uses policy files and JAAS, but Java EE offers declarative security through deployment descriptors such as web.xml, ejb-jar.xml; annotations; and transport security through HTTP Basic/Form authentication, SSL,
SAML, and others.
A key difference between both security frameworks is that, by default, the Java SE security framework doesn't propagate security context across different JVMs. This concept is almost a native requirement for secure Java EE applications, which needs to propagate security contexts, principals, and subjects across several layers, applications, or even physical machines (clusters) in order to provide high availability and failover for security concepts such as authentication or authorization.
In order to minimize such problems, the Java Authentication Service Provider Interface for Containers (JASPIC) specification extended the JAAS model, implementing...
