About the Java EE Security API
Java Platform, Enterprise Edition (Java EE) 8
The Java EE Tutorial

Previous Next Contents

About the Java EE Security API

Java EE includes support for JSR 375, which defines portable, plug-in interfaces for authentication and identity stores, and a new injectable-type SecurityContext interface that provides an access point for programmatic security. You can use the built-in implementations of these APIs, or define custom implementations.

The Java EE Security API contains the following packages:

  • The javax.security.enterprise package is the main Java EE security API package and contains classes and interfaces that span authentication, authorization, and identity concerns. Table 51-1 lists the main class and interfaces in this package.

  • The javax.security.enterprise.authentication.mechanism.http package contains classes and interfaces associated with HTTP-based authentication mechanisms that can interact with a caller or third-parties as part of an authentication protocol. Table 51-2 lists the main classes and interfaces in this package.

  • The javax.javax.security.enterprise.credential package contains classes and interfaces for representing user credentials. Table 51-3 lists the main classes and interfaces in this package.

  • The javax.security.enterprise.identitystore package contains classes and interfaces associated with identity stores that validate a caller’s credentials and lookup caller groups. Table 51-4 lists the main classes and interfaces in this package.

Table 51-1 Main Classes and Interfaces in javax.security.enterprise

Class or Interface



Injectable-type interface that provides an access point for programmatic security intended to be used by application code to query and interact with the Java EE Security API.


Principal type that can represent the identity of the application caller.


Enum used to indicate the return value from an authentication mechanism.


Indicates that a problem occurred during the authentication process.

Table 51-2 Main Classes and Interfaces in javax.security.enterprise.authentication.mechanism.http

Class or Interface



Interface representing an HTTP authentication mechanism. Developers can provide their own implementation of this interface, or use one of several built-in HTTP authentication mechanisms.


Interface representing the parameters passed to/from methods of an HttpAuthenticationMechanism at runtime.


Class that carries parameters passed to the SecurityContext.authenticate() method.


Abstract class developers can extend to customize HttpMessageContext behavior.

Note: The javax.security.enterprise.authentication.mechanism.http package also includes a number of annotation classes that are used to configure/enable the built-in authentication mechanisms or to modify the behavior of an authentication mechanism.

Table 51-3 Main Classes and Interfaces in javax.security.enterprise.credential

Class or Interface



Interface that represents a generic credential and defines several methods to operate on credentials. All other classes in this package are implementations of the Credential interface.


Abstract class implementing behavior common to Credentials that can be meaningfully cleared.


Class that extends UsernamePasswordCredential to represent credentials used by HTTP Basic Authentication.


Credential that contains a caller name only; can be used to assert an identity, but not to authenticate a user, due to the lack of any secret or other credential that can be validated.


Class that represents a text-based password.


Class that represents a credential presented as a token, for the explicit usage with the JSR 375 remember me function.


Class that represents the credentials typically used by standard caller name/password authentication.

Table 51-4 Main Classes and Interfaces in javax.security.enterprise.identitystore

Class or Interface



Interface representing an Identity Store. Developers can provide their own implementation of this interface, or use one of the built-in Identity Stores.


Interface that defines the method applications use to interact with Identity Stores. Applications can use the built-in IdentityStoreHandler, or supply their own implementation if custom behavior is desired.


Interface defining methods for generating and validating password hashes, needed to securely validate passwords when using the built-in Database Identity Store. Developers can implement this interface to generate/validate password hashes using any desired algorithm.


Marker interface implemented by the built-in PBKDF2 PasswordHash implementation. Developers can use this interface to select the built-in PBKDF2 algorithm when configuring the Database Identity Store.


Interface defining a special type of Identity Store, used in conjunction with the RememberMe annotation to provide RememberMe behavior for an application.


Class that represents the result from an attempt to validate a Credential.


Permission required to invoke the getGroups method of an IdentityStore, when a SecurityManager is configured.

Previous Next Contents
Oracle Logo  Copyright © 2017, Oracle and/or its affiliates. All rights reserved.