EJB Security
1-Application Security Concepts
Authentication
- Authentication is a process that verifies the identity of a user, device, or other entity in a computer system, to allowing access to resources in a system.
- In an EJB application, clients of EJBs may be applications or other EJBs. The EJB server determines the identity of all these types of client so that it can determine what level of access to grant.
Access Control Lists (ACLs)
- A way to control access for user in an applicationA way to control access for user in an application
- An ACL file is made up of entries, which contain a set of permissions for a particular resource and a set of users who can access those resources.
2-JavaEE 5 Security Architecture
Realms
- A realm is a complete database of users and groups that identify valid users of a web application and are controlled by the same authentication policy.
- The Java EE server authentication service can manage users in multiple realms vs the file realm, admin-realm, and certificate realms
Users and Principals
- A realm is a complete database of users and groups that identify valid users of a web application and are controlled by the same authentication policy.
- The Java EE server authentication service can manage users in multiple realms vs the file realm, admin-realm, and certificate realms
Group and roles
- A group is a set of authenticated users, classified by common traits, defined in the Application Server. Roles are abstract forms of groups.
- A role is a particular way that a user may interact with an application and it also defines the access rights that the user must have to perform this interaction
Role References
A security role reference defines a mapping between the name of a role that is called from a web component and the name of a security role that has been defined for the application With the help of role references, the application assembler can easily change the role names without having any effect on the code anywhere
Managing User
Users, groups, and roles are managed by the application server An application prompts a user for their username and password before allowing them to access a protected resource After, the application passes that information to the server.
3-Mechanism of Caller Authentication JavaEE 5
Architecture
EJB tier authentication
- The EJB container can protect access to the EJBs by entrusting the user identification and authentication activities to the Web container.
- EJBs can be protected by Web components irrespective of whether the Web components are themselves protected or unprotected. ]
- The Web tier may allow users who are not currently authenticated to browse the unprotected Web resources.
Propagated Security Context
Specify whether a caller’s security identity should be used for the execution of specified methods of an enterprise bean, or whether a specific run-as identity should be used.
4-Authorization in JavaEE 5
Architecture
Declare authentication
Progrmmatic authentication
When coding programmatic security in an EJB, you can use the
following two methods defined in the javax.ejb.EJBContext interface:
+public boolean isCallerlnRolefString roleHame)
+public Principal getCallerPrincipal()
5-Security Responsibilities in JavaEE 5
Platform
Role in ejb
Responsibility of Bean Provider
•The bean provider may only define security
roles for the EJB business methods in the ejb-jar.xml deployment descriptor.
•The bean provider sets the security role of
the EJBs only to simplify the deployer's task.
Responsibility
of Application Assembler
•The application assembler defines the
security roles of the EJBs in the ejb-jar.xml file.
•The application assembler also defines the
method permissions for each security role.
•Security roles
and method permissions set in the deployment descriptor is referred as security
view of the application.
Responsibility
of Product Provider
•The container provider is
responsible for providing the deployment tools that the deployer uses
for deploying applications.
•The deployment tools enable the deployer to
view the information present in the deployment descriptor.
Responsibility
of System Administrator
- creating user accounts,
- adding users to user groups,
- removing users from user groups, and removing or freezing user accounts