Skip to main content

Jakarta Security

Jakarta Security is a Jakarta EE specification that standardizes application-level authentication, authorization, and identity propagation for Jakarta-based enterprise applications (identity and access).

  • Unifies authentication and authorization APIs for Jakarta EE applications (identity and access).
  • Defines pluggable authentication mechanisms such as username/password and custom credential validation (identity and access).
  • Integrates with Jakarta Servlet, Jakarta RESTful Web Services, and other Jakarta EE technologies for security enforcement (application security).
  • Supports Role-Based Access Control (RBAC) and security context propagation within Jakarta EE containers (access control).
  • Provides an extensible Stateful Packet Inspection (SPI) for integrating with external identity stores and security providers (identity integration).

More About Jakarta Security

Jakarta Security is a specification under the Jakarta EE umbrella that defines a unified, container-integrated programming model for authentication, authorization, and identity management in enterprise Java applications (identity and access). It targets the problem space of fragmented security approaches across different Jakarta EE APIs by offering a single, consistent way to secure web and enterprise components deployed to Jakarta EE compatible runtimes (application security).

The specification provides a standard Application Programming Interface (API) and Service Provider Interfaces (SPIs) for authentication mechanisms, credential validation, and security context handling (identity and access). It focuses on HTTP-based application security, integrating with Jakarta Servlet for web applications and Jakarta RESTful Web Services for Representational State Transfer (REST) endpoints (web and API security). Through these integrations, developers can apply security constraints and validation logic in a uniform way across servlets, filters, and REST resources without relying on proprietary container extensions.

Jakarta Security defines pluggable authentication mechanisms that allow containers and applications to support username/password logins, custom credential types, and interaction with various identity stores (identity and access). The SPI model enables integration with external user databases, directory services, or other credential repositories, while keeping the application code focused on business logic. The specification also standardizes how the authenticated identity is represented, accessed, and propagated through the Jakarta EE security context (access control).

In enterprise environments, Jakarta Security is used to apply RBAC, enforce authentication for protected resources, and coordinate security behavior across multiple Jakarta EE technologies running in the same application server (enterprise application security). It aligns with other Jakarta EE specifications such as Jakarta Authentication and Jakarta Authorization, providing a higher-level, application-centric model that builds on lower-level security services where present (identity and access).

From an architectural perspective, Jakarta Security positions itself as the application-facing security layer in the Jakarta EE stack (application security). It interoperates with the underlying container security infrastructure, making it possible for vendors to plug in their own implementations while applications rely on the standardized interfaces. For enterprises, this supports portability of secure applications across Jakarta EE compatible runtimes and simplifies governance of authentication and authorization patterns within Java-based systems.