Model-based Analysis of Java EE Security Configurations for Web

java ee security

With the widespread use of Java development services, it has come up with the Java EE web applications to provide distributed Outsource Java Development services to remote clients by imposing some strong security requirements.

The application allows to manage the resources and also protects it from unauthorized disclosures and manipulations. Basically, for this purpose, the Java EE framework provides developers with the mechanisms to define access-control policies.

Unluckily, the variety and complexity provided in the security configuration mechanisms are caused by the definition and manipulation of a security policy which can be complex and error-prone.

The security requirements are not static and therefore can be implemented using the policies which can be changed or reviewed often to discover and represent the policy at an appropriate abstraction level. This enables users to understand and re-engineer their critical requirements.

To handle such a situation, a model-based approach is aimed to help which is visualized by the security experts that can analyze and manipulate web security policies automatically. Let us see in brief to the model-based analysis of Java EE web security configurations.

What is Java EE security analysis?

The Java EE is a very popular technology among the java developers for the development of dynamic web applications that also serve as a foundational layer for other less general purpose frameworks.

Java EE facilitates the exposure of the distributed information and services to different users in remote areas where the security is the main concern because of the web resources that contribute to web application which can be accessed by many users potentially rather than choosing untrusted networks.

As a solution to this, the Java EE framework provides the developers with the tools that can specify control policies in order to assure the confidentiality and integrity of the resources which are exposed by web applications.

Despite the available security mechanism, implementing security configurations remains a complex and error-prone activity which requires high expertise to avoid inconsistency and misconfiguration issues which are critical to getting business damages.

As the resources are managed by the web application, it can be accessed by many users and traverse unprotected networks as the unintended data disclosures may lead to important losses both in terms of money and reputation.

How does it provide strong security?

The Java EE applications are typically consisting of JSPs and Servlets as its access-control mechanism is in charge of controlling the access of these elements along with any other web stored and accessible artifacts like HTML pages, docs and much more.

The security configurations contain declarative alternatives that can be used at the same time where the resultant security policy is the result of combining the security constraints specified with both the mechanisms. In case of conflicts, the constraints can take precedence according to the situations as well.

The inconsistencies caused by the access-control policies can be defined with the mechanisms which can be resolved by using the rule precedence, execution semantics, and combination algorithms as specified in the Java EE Servlet specification.

Prior to the extraction process, the definition of metamodels is able to represent the information which is contained in the configuration source files as required. Once a metamodel gets enabled to describe the Java EE access control definitions is available to extract the access-control information defined for the web app.

After having all the access-control information of a Java EE web app in the integrated model which corresponds to our Servlet Security metamodel that enables the reusability of a wide range of proved model-driven tools and techniques to find interesting analysis applications.

Also, the graphical information is very easy to grasp at a glance rather than a textual one. In this sense, the model-driven tools like Sirius allow the definition of variant viewpoints for a given domain-specific language so that different graphical representations can be obtained without the need to manipulate source model.

In such ways, we can obtain general representations and summarize the access-control policy of a given app along with some more detailed representation.


We have seen a model-driven reverse engineering approach to extract the access-control policies from the diverse security configuration mechanism for Java EE web applications. As a result of this, we can create an independent access control platform which can be integrated into a single place by facilitating the comprehension and analysis of the policies.

In the end, you can demonstrate the feasibility and pertinence of our approach by developing a proof of concept tool that can be applied on a set of real projects which are retrieved from GitHub. Keep Learning!!

Diana Vantur is a Technology Analyst currently working at Tatvasoft UK which provides java development services in London. Her area of interest includes tech news and how software is being used in trending business. She strongly believes that knowledge is meant to be shared – whether related to design, software, technologies, and the list goes on.

You might like

About the Author: Vijay Aegis

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.