EJB Container Security
© Copyright Sams Publishing. All rights reserved.
Security is an important issue in the development and deployment of all enterprise-based applications. This security is implemented using the container's support for security specified within the EJB specification. The EJB framework is designed to have security built within the container allowing the implementation of security to be effortless.
The EJB security model is designed for the enterprise-based applications and should not be used if EJBs are not being used. The process of implementing this security within EJBs is defined based on the security requirements needed within your implementation. Implementing this typically requires the following:
Defining users and groups
Associating application resources to users or groups
Providing efficient and different methods of maintaining security
Implementing logic to validate security at runtime
Implementing tools to mange users, groups, and privileges
Authentication is the process of verifying that a client is who they claim to be. Authentication is the basis from which the remaining portions of the security model are constructedthe foundation. Many different authentication mechanisms are available in most EJB containers. For example, Borland's Enterprise Server contains authentication with JDBC, LDAP, JDatastore, or the implementation of a custom security class.
Authorization is the process of giving rights to the underlying implementation. For example, you might require a certain set of rights to call a given method. Authentication can be implemented via the container, or you can programmatically implement the security within the bean home interface. To help visualize the implementation of the authorization mechanisms, take a look at the security sequence diagram shown in Figure 1.
Sequence diagram for illustrating server-based authentication.
Secure communication is probably the simplest to implement but the most complex if you look at what is hidden from you in the details. JBuilder does not offer any special features to either manage or implement secure communication; this is simply a feature of the container. For example, Borland Enterprise Server can communicate either between the clients or between other J2EE servers using SSL configured through the use of the container's console.
JBuilder's support is actually simple. It is divided into two sections. The first is the capability to define the roles that will be available to the security editor in order (see Figure 2).
The second is the capability to assign security to any interface or method based on the role of the end-user (see Figure 3).
Building new roles for the security domain.
Assigning roles to either an interface, method, or both.
About the Authors
Saleem Siddiqui is a technical architect and trainer with Dunn Solutions Group. He is also a Sun Certified Developer and a Borland Certified JBuilder Instructor. At Dunn, he provides consulting services and business application development.
Michael Landy is Director of Business Applications for Dunn Solutions Group directing the strategic solutions for clients.
Jeff Swisher is a technical manager for the Dunn Solutions Group business applications. He works as a programmer, trainer, architect, and instructional designer. He is a Sun Certified Java Developer and a Borland Certified Instructor in JBuilder.
Source of this material
|This material is from Chapter 23: Developing Entity Beans from the book JBuilder Developer's Guide (ISBN: 0-672-32427-X) written by Saleem Siddiqui, Michael Landy, and Jeff Swisher, published by Sams Publishing. |
To access the full Table of Contents for the book.
Other Chapters from Sams Publishing:Web Services and Flows (WSFL)
Overview of JXTA
Introduction to EJBs
Processing Speech with Java
The Java Database Control in BEA Weblogic
Databases and Tomcat
Working with JAX-RPC