J2EE-Security is a simple yet comprehensive Java EE project that demonstrates role-based security, authentication, and authorization in enterprise web applications. The project uses EJBs, servlets, and declarative security in web.xml to provide protected admin and user areas, secure login/logout, and fine-grained access control at both the web and business logic layers. This project is ideal for learning how to implement robust security in Java EE applications using modern best practices.

J2EE-Security/
├── src/
│   └── main/
│       ├── java/
│       │   └── lk.jlat.web/
│       │       ├── ejb/
│       │       │   ├── AdminSessionBean
│       │       │   └── UserSessionBean
│       │       ├── model/
│       │       └── servlet/
│       │           ├── Admin
│       │           ├── AutoLogin
│       │           ├── Logout
│       │           └── User
│       ├── resources/
│       └── webapp/
│           ├── admin/
│           │   └── index.jsp
│           ├── WEB-INF/
│           │   └── web.xml
│           ├── error.jsp
│           ├── index.jsp
│           └── login.jsp
├── pom.xml

• AdminSessionBean
  Stateless EJB for admin-specific business logic and operations.

• UserSessionBean
  Stateless EJB with methods demonstrating role-based access using annotations like @DenyAll, @PermitAll, and @RolesAllowed.

• Admin
  Servlet for handling admin profile actions and access.

• AutoLogin
  Servlet that demonstrates programmatic login for testing or automation.

• Logout
  Servlet to securely invalidate sessions and handle user logout.

• User
  Servlet for user-specific actions, invoking secured EJB methods.

• admin/index.jsp
  Admin dashboard, accessible only to users with the admin role.

• WEB-INF/web.xml
  Security configuration, defining protected URL patterns, authentication methods, and role mappings.

• login.jsp
  Custom login page for form-based authentication.

• error.jsp
  Error page for failed login attempts.

• index.jsp
  Public landing page.

• ✅ Role-based access control for admin and user areas
• ✅ EJB method-level security using @DenyAll, @PermitAll, and @RolesAllowed
• ✅ Secure login and logout with session management
• ✅ Declarative security configuration via web.xml
• ✅ Custom error and login pages for enhanced user experience

• Authentication:
  Users log in via a form-based authentication mechanism. Credentials are validated and roles are assigned based on configuration.

• Authorization:
  Access to servlets and EJB methods is controlled using both declarative (web.xml) and programmatic (EJB annotations) security.

• Session Management:
  Secure session handling ensures users can log out safely, and unauthorized access is prevented.

• Admin and User Separation:
  Admin and user functionalities are strictly separated, with dedicated servlets, EJBs, and protected JSPs.

• Java 11
• Jakarta EE 10 (EJB, Servlet, Security)
• Maven

• ✅ Understand Java EE security concepts and best practices
• ✅ Implement role-based access control in both web and EJB layers
• ✅ Configure authentication and authorization declaratively and programmatically
• ✅ Build secure, maintainable enterprise applications

Chamika Gayashan
Undergraduate Software Engineer | Sri Lanka
Linkedin: @chamikathereal
Current date: Sunday, June 22, 2025, 1:30 AM +0530