J2EE-Security-Advance is a comprehensive Java EE project that demonstrates advanced security features for enterprise applications. Leveraging Jakarta EE Security API, this project implements custom authentication mechanisms, identity stores, and robust role-based access control at both the servlet and EJB layers. It is ideal for learning modern, production-ready security practices in Java EE, including both declarative and programmatic security, session management, and secure resource protection.
J2EE-Security-Advance/
├── src/
│ └── main/
│ ├── java/
│ │ └── lk.jlat.web/
│ │ ├── ejb/
│ │ │ ├── AdminSessionBean
│ │ │ └── UserSessionBean
│ │ ├── model/
│ │ │ └── User
│ │ ├── security/
│ │ │ ├── AppIdentityStore
│ │ │ └── AuthMechanism
│ │ └── servlet/
│ │ ├── Admin
│ │ ├── AutoLogin
│ │ ├── Login
│ │ ├── Logout
│ │ └── User
│ ├── resources/
│ └── webapp/
│ ├── admin/
│ ├── WEB-INF/
│ │ └── web.xml
│ ├── error.jsp
│ ├── index.jsp
│ └── login.jsp
├── pom.xml
-
AdminSessionBean
Stateless EJB for admin-specific business logic. -
UserSessionBean
Stateless EJB demonstrating method-level security with annotations like@DenyAll,@PermitAll, and@RolesAllowedfor fine-grained access control.
-
User
POJO representing a user with password and roles, used for authentication and authorization.
-
AppIdentityStore
Custom identity store for validating user credentials and mapping roles, using in-memory user data for demonstration. -
AuthMechanism
Custom HTTP authentication mechanism implementing login logic, credential validation, and secure redirects using Jakarta EE Security API.
-
Admin
Servlet for admin profile actions, protected with@ServletSecurityand role declarations. -
AutoLogin
Servlet for programmatic login, useful for automation or testing. -
Login
Handles login form submissions and redirects. -
Logout
Manages secure session invalidation and logout redirection. -
User
Servlet for user-specific actions, invoking secured EJB methods.
-
admin/
Admin dashboard JSP, accessible only to users with theADMINrole. -
WEB-INF/web.xml
Declarative security configuration, defining protected resources, role mappings, and constraints. -
login.jsp
Custom login page for user authentication. -
error.jsp
Error page for failed login attempts. -
index.jsp
Public landing page.
- ✅ Advanced authentication using Jakarta EE Security API
- ✅ Custom identity store and authentication mechanism
- ✅ Role-based access control at servlet and EJB layers
- ✅ Method-level security with annotations (
@DenyAll,@PermitAll,@RolesAllowed) - ✅ Secure login, logout, and session management
- ✅ Declarative and programmatic security configuration
- ✅ Custom error and login pages for improved UX
-
Authentication:
Users log in via a custom form or programmatic endpoint. Credentials are validated against an in-memory identity store, and roles are assigned accordingly. -
Authorization:
Access to servlets and EJB methods is protected using both declarative (web.xml,@ServletSecurity) and programmatic (EJB annotations) security. -
Session Management:
Secure session handling ensures proper logout and prevents unauthorized access. -
Role Separation:
Admin and user functionalities are strictly separated, with dedicated endpoints and views for each role.
- Java 11
- Jakarta EE 10 (EJB, Servlet, Security API)
- Maven
- ✅ Implement advanced authentication and identity management in Java EE
- ✅ Apply role-based security at multiple application layers
- ✅ Configure and extend Jakarta EE Security API for real-world scenarios
- ✅ Build secure, maintainable enterprise applications
Chamika Gayashan
Undergraduate Software Engineer | Sri Lanka
Linkedin: @chamikathereal
Current date: Wednesday, June 25, 2025, 9:22 PM +0530