Securing J2EE SOA Enterprise Applications with a Pattern-Based Approach

Security is a key issue in SOA J2EE applications. The literature and a considerable number of frameworks address security issues for this type of enterprise application. However, there are two significant problems in this body of knowledge: (i) it is hard to find an architectural approach for dealing with security threats to SOA J2EE applications; and, (ii) technologies are constantly changing, making it is difficult to have an abstract view of the problems that are solved using specific technologies. The Core Security Patterns (CSP) catalogue solves both problems because it provides a comprehensive architectural solution to J2EE security issues and abstracts specific security technologies into security patterns. However, the CSP pattern catalogue is huge (more than 1,000 pages) and there are three significant challenges to understanding it completely: (i) the integration of the CSP security patterns and the Core J2EE Patterns (CJP) for the software architecture of SOA J2EE applications is not evident; (ii) the high abstraction level of the CSP patterns, in some cases, obscures the security problems that the patterns solve; and (iii) the implementation of the CSP patterns involves the configuration of complex security frameworks, adding a layer of complexity to securing a J2EE application using a pattern-based approach. To address these issues, we have developed a SOA multitier application based on the patterns described in the CJP catalogue, and we have secured it by implementing the patterns described in the CSP catalogue. This paper describes the work carried out during these developments. The main goal was to relate the CSP patterns with: (i) CJP patterns; (ii) the security concerns that the CSP patterns address; and (iii) the present security frameworks. As a result of this paper, we expect the inclusion of security elements in SOA enterprise applications to be easier for software architects and developers. Finally, four main conclusions can be drawn from our study: (i) security is an orthogonal aspect for SOA multitier development; (ii) implementation of security patterns relies heavily on security frameworks, with the configuration of security frameworks thus becoming one of the most complex issues when securing J2EE SOA multitier applications; (iii) no J2EE application servers are needed to deploy secure J2EE SOA enterprise applications; and (iv) whether or not applications servers are used, security-related implementations are closely tied to the application container and frameworks used for SOA implementation.