In JBoss, when we talk about security, we essentially focus on two aspects:
- JBoss internal application server access and control security
- J2EE application security using JBoss components
JBoss Enterprise Application Platform has to be secured at a variety of levels including the Console, the Datasource and Invoker level. Leaving these issues unattended can lead to serious compromise to security that could prove fatal for the J2EE application. From application point of view, we should be able to restrict user's access and control his operations. The J2EE specifications define a simple role-based security model for EJBs and web components. The JBoss component framework that handles security is the JBossSX extension framework. The JBossSX security extension provides support for both the role-based declarative J2EE security model as well as integration of custom security via a security proxy layer. The default implementation of the declarative security model is based on Java Authentication and Authorization Service (JAAS) login modules and subjects. Taashee's JBoss team does a thorough check on JBoss AS, following well-defined security procedures and provides framework to developers to ensure better security level at the application level.