Developing enterprise software applications with security requirements can be a cumbersome and error-prone process. In such applications often the security is spread all over the application code. This makes it difficult to understand how things work and hard to maintain security in such code.
With model-driven development business logic should be expressed in the objects of your domain model. As for now there is no convenient way to express access control requirements through your domain model. Hence access control-code is normally written into the service layer or data-access layer.
JPA Security offers a way to express access control through your domain model and additionally supplies a solution to completely separate access control logic from business logic, improving performance and maintainability. JPA Security provides an interface to define security requirements of your domain model via configuration (Annotations or XML).
Due to it's smooth integration into current Java standards, it may be integrated into every layer of your application. It enables you to configure rules defining access control for your Entity Beans and Embeddables based on the current security context (i.e. the currently authenticated user and/or its roles in the application).
JPA Security uses the notion of security unit to refer to a set of Java bean classes and their corresponding access rules. In the current version of JPA Security a security unit directly corresponds to a persistence unit of JPA. The content of a security unit is defined at deployment time and may not change at runtime.
In contrast to the security unit, the security context starts at runtime with the authentication of a user. As of version 0.4.0 of JPA Security the content of this context is completely customizable and you can do so by implementing the SecurityContext interface. The security context contains information like i.e. the current user, its roles and/or the current tenant, but any kind of context information that is needed to specify the authorization of the current user to access beans may be made available through the security context.
JPA Security smoothly integrates with existing authentication solutions like specified in the servlet specification, with EJB or Spring Security. JPA Security may be configured to take the current user and its roles provided by this technologies and fill the security context with it.