Security
EJB specifies declarative attributes for
security authorization. Once a user has been authenticated (logged
in), access to enterprise beans can be monitored and controlled. The
declarative authorization attributes allow the container to control
which users can access which methods on specific bean types. In EJB
1.0, individual methods on a bean are associated with
Identity
objects that represent individual users
or groups of users called roles. Only users that are associated with
the correct Identity
objects can access the
bean’s methods. Using this approach, bean methods can be mapped
to a set of identities in the serializable deployment descriptor.
When a bean method is invoked at runtime, the container examines the
Identity
of the caller and compares it to the list
of Identity
objects associated with that method.
If the caller’s identity matches or is a member of one of the
identities associated with the method, the method can be invoked.
Although this authentication model works well—it allows
fine-grained functional authentication without requiring any code in
the bean itself—it also has some problems. In an operational
environment that supports ACL-based security, all the identities and
roles in an enterprise are part of the operational environment. To
choose Identity
objects to associate with bean methods, you must have access to the ACL repository of the environment that the bean will be deployed in. For this reason, it is normally assumed that the deployer in EJB ...
Get Enterprise JavaBeans, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.