Differentiate between Authentication and Authorization
Use the JAAS (Java Authentication and Authorizing Service ) interface
Recognize the importance of security in EJBs
Define Security Propagation
Define Object Handles in EJB
A container-managed persistent entity bean will let the container handle all the data access logic.
The container in a CMP can persist every field and it does this behind the scenes.
The fields present in the primary key class have to come from the container-managed fields of the entity bean. This will allow the container to set and extract the entity bean’s primary key fields.
In a container-managed persistent entity bean, the container manages the persistent operations.
The home interface of the bean defines the create() method. This is defined so that a new item can be created in the database.
The container-managed fields of the entity bean class have the primary key fields.
When the bean is deployed, JAWS will look for the jaws.xml file and on locating it, will read and configure the names of the database tables.
A jar file is created to package the three Java files, namely, the remote interface, the bean class, and the home interface. The jar file will build an archive, which will contain the three classes and the XML files. The XML files are present in the META-INF directory.
In CMP, the container performs persistence, and so it is very difficult for the developer to know the operations being performed. The container has to be decompiled, and only then will the code be available.
CMP entity beans help to develop persistent code, which results in rapid development of the application.
EJB Context The information about the status of the bean is Transactions performed by the bean and those involving the bean Environment Properties Home Object of the bean Security
EJB Context – The Gateway to the Container Container Gateway EJB context object is the to the
EJB context objects can be accessed from within the beans.
Hence, callbacks to the container can be performed using these context objects
Methods under javax.ejb.EJBContext Methods in javax.ejb.EJBContext getUserTransaction() getHome() getRollbackOnly() getCallerPrincipal() setRollbackOnly() isCallerInRole(String role)
Contexts in Session Beans
There are two types of contexts for the two types of beans in EJB
Session Contexts : For session beans
Entity Contexts : For entity beans
The session context interface is
public interface javax.ejb.SessionContext
public javax.ejb.EJBObject getEJBObject();
SessionContext.getEJBObject() and EntityContext.getEJBObject()
The advantage of Enterprise JavaBeans is that one bean can act as a client for the other beans.
When a bean has to make a call to another bean, the getEJBObject() method is used.
The this keyword is used in Java to reference the current object; in EJB this is not possible.
Security is an important issue when one works with enterprise applications.
Two important security measures Authentication Authorization
Java Authentication and Authorization Service
In the new EJB 2.0 specifications, authentication has been made portable and robust due to the addition of the (JAAS) Java Authentication and Authorization service, a separate J2EE API.
JAAS is a portable interface that allows users to log into any system without knowing what type of security system is being used.
JAAS also enables developers to write their own customized authentication modules that can be plugged in without the need to change client code.
The web-browser supplies the credentials in one of four ways.
Certificate based Authentication
Authentication (1) User Database containing usernames and passwords Security identity The security identity lasts till the client is connected
JAAS process of Authentication
In the JAAS process of authentication the following steps take place.
Client instantiates a new login context which is responsible for coordinating the authentication process.
This login context retrieves a configuration object, which contains information about the type of login.
The login context retrieves from the configuration object, the list of authentication mechanisms to use. (password-based, certificate-based).
Each item on the list of authentication mechanisms is called a login module.
The login context instantiates as many login modules as required by the several different security providers.
The login context initializes the modules.
JAAS process of Authentication
The login process is started by the client code by calling the login() method on the login context.
The login context passes on the login call to the login modules, since they have all the information about the actual login authentication process.
The login modules authenticate the user (client) using proprietary means. If the login succeeds the module is told to commit() and if it fails it can also abort() the module.
Authentication information is kept in a subject in the context and is used to perform secure operations.
The client code calls remote operations (such as in an EJB component) and the logged-in security context is automatically propagated along with the function call. The server now performs actual authentication based on the authentication data that is passed on in the security context.
<role-name> : Assigns a role name to the security identity
<role-link> : Links a name with a security role
<role-name> : Assigns a role to each EJB
<method-permission> : Determines which role has access to which methods
Programmatic Authorization Bean Security Checks Business Logic
Security checks are hard-coded into the bean.
Bean contains business logic methods with security checks
The signature of the code as well as the origin of the code is verified
Security roles are a collection of client’s identities.
The user’s security identity has to be associated with the correct security role for him to execute a particular operation
General User Authentication Logging In Authorization Well-defined security Role
Access Control Data Business objects Sub systems Access control policies User
Using Declarative Security
Security is always a major concern in any middleware service
Declarative security decouples the bean and opens the door to outsiders, thereby enabling them to modify security rules without modifying the bean code.
Security roles can be specified only on the bean class, and these specified security roles are applicable for all instances of the class.
The two ways of controlling security information in the deployment descriptor are:
The runAsMode deployment descriptor setting lists three settings, which can be classified as:
Security Context Propagation Portability
Enterprise JavaBeans do not have specific rules for the way containers deal with security.
JAAS sits at the boundary of the application, authenticates and authorizes each request for a secured page, and activates the JAAS modules.
Understanding EJB Object Handles Client Application Connection between client and server discontinued EJB Object handles Retains conversational state
The information determined by a bean regarding its status during runtime contains information about:
The home object of the bean.
The transaction that involves the bean. For instance, the bean need not go through a step if the transaction being performed is going to fail.
Security to authorize the client. The bean is capable of performing this by querying its environment. It can thus ensure that the client has security access levels to perform an operation.
The various environment properties that were responsible for the deployment of the bean.
The main objective of the context is to encapsulate the bean’s domain in a compact object.
The session bean context is called the session context and the entity bean context is known as the entity context .
When a bean has to make a call to another bean, the getEJBObject() method is used. Further, this method is also used when a reference has to be passed to a bean.
Authentication ensures that the identity of the client is true. The username and password are checked against a database, which contains a permanent client profile.
The process of granting permissions to the correct user is called authorization.
When declarative authorization is performed, the container performs the validations. In such a case, the focus is entirely on business logic.
In programmatic authorization , security checks are coded into the bean. The bean will contain business logic along with security checks.
Security roles can be defined as the collection of clients.
The isCallerRole() method ensures that the current caller falls into the security role. The getCallerPrincipal() method gets back the current caller’s security identity.
Security contexts sum up the security state of the caller and perform their functions behind the scenes.
EJB does not have specific rules for the way containers deal with security.
The EJB object handle can be defined as a long-lived proxy for an EJB object. In case the client disconnects himself from the EJB server or container, the EJB object handle can be used to reconnect to get back the conversational state with the particular bean.
In the new EJB 2.0 specifications, the JAAS architecture makes security more portable and robust.