Chapter 11. Security in EJB: Protect Your Secrets

image with no caption

Keep your secrets. Security is about authentication and authorization. First, you have to prove your identity, and then we’ll tell you what you’re allowed to do. Security is easy in EJB, because you’re only dealing with authorization. You decide who gets to call which methods on your beans. Except one problem... if you’re a Bean Provider or App Assembler, you probably don’t know who the users are going to be! So you make stuff up. You make up roles, like job titles, including Manager, Supervisor, Admin, etc. and when someone deploys your application in a real company, that Deployer maps between your made-up names (Manager) and real people who will use the app.

Objectives

Security

Official:

What it really means:

14.1

Identify correct and incorrect statements about the EJB support for security management including security roles, security role references, and method permissions.

You have to know that you can do two kinds of security in EJB: programmatic and declarative. Declarative means your security is defined in the Deployment Descriptor. You need to know that security in EJB is mostly about declaring a set of abstract security roles, then declaring which methods each of those roles is allowed to call.

14.2

From a list of responsibilities, identify which belong to the Application Assembler, Bean Provider, Deployer, Container Provider, or System ...

Get Head First EJB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial