Thứ Sáu, 5 tháng 9, 2014

EJB Security

EJB Security

1-Application Security Concepts

Authentication 

  •  Authentication is a process that verifies the identity of a user, device, or other entity in a computer system, to allowing access to resources in a system.
  •  In an EJB application, clients of EJBs may be applications or other EJBs. The EJB server determines the identity of all these types of client so that it can determine what level of access to grant.
Access Control Lists (ACLs)

  •  A way to control access for user in an applicationA way to control access for user in an application
  •  An ACL file is made up of entries, which contain a set of permissions for a particular resource and a set of users who can access those resources.
2-JavaEE 5 Security Architecture

Realms
  •  A realm is a complete database of users and groups that identify valid users of a web application  and are controlled by the same authentication policy. 
  • The Java EE server authentication service can manage users in multiple realms vs the file realm, admin-realm, and certificate realms 
Users and Principals
  • A realm is a complete database of users and groups that identify valid users of a web application  and are controlled by the same authentication policy.  
  • The Java EE server authentication service can manage users in multiple realms vs the file realm, admin-realm, and certificate realms
Group and roles
  • A group is a set of authenticated users, classified by common traits, defined in the Application Server. Roles are abstract forms of groups. 
  • A role is a particular way that a user may interact with an application and it also defines the access rights that the user must have to perform this interaction




Role References
   A security role reference defines a mapping between the name of a role that is called from a web component and the name of a security role that has been defined for the application With the help of role references, the application assembler can easily change the role names without having any effect on the code anywhere
Managing User
    Users, groups, and roles are managed by the application server An application prompts a user for their username and password before allowing them to access a protected resource After, the application passes that information to the server.
3-Mechanism of Caller Authentication JavaEE 5 Architecture 
EJB tier authentication




  • The EJB container can protect access to the EJBs by entrusting the user identification and authentication activities to the Web container. 
  • EJBs can be protected by Web components irrespective of whether the Web components are themselves protected or unprotected.  ]
  • The Web tier may allow users who are not currently authenticated to browse the unprotected Web resources. 
 Propagated Security Context 
       Specify whether a caller’s security identity should be used for the execution of specified methods of an enterprise bean, or whether a specific run-as identity should be used.
 
 
4-Authorization in JavaEE 5 Architecture  
 Declare authentication
 
 Progrmmatic authentication
When coding programmatic security in an EJB, you can use the
 following two methods defined in the javax.ejb.EJBContext interface:
+public boolean isCallerlnRolefString roleHame)
+public Principal getCallerPrincipal()




5-Security Responsibilities in JavaEE 5 Platform
Role in ejb
 

Responsibility of Bean Provider 
The bean provider may only define security roles for the EJB business methods in the ejb-jar.xml deployment descriptor.
The bean provider sets the security role of the EJBs only to simplify the deployer's task.

Responsibility of Application Assembler
The application assembler defines the security roles of the EJBs in the ejb-jar.xml file.
The application assembler also defines the method permissions for each security role. 
Security roles and method permissions set in the deployment descriptor is referred as security view of the application.
Responsibility of Product Provider
The container provider is responsible for providing the deployment tools that the deployer uses for deploying applications.
The deployment tools enable the deployer to view the information present in the deployment descriptor.
Responsibility of System Administrator

  •  creating user accounts,  
  • adding users to user groups,  
  • removing users from user groups,  and removing or freezing user accounts

Không có nhận xét nào:

Đăng nhận xét