Chapter 11. Managing Security

Security is of paramount importance for an enterprise. The EJB architecture provides comprehensive support for security management. This support is particularly useful given the wide variety of protocols and security mechanisms that enterprises may use today.

This chapter describes the EJB security environment from the point of view of an application developer, focusing on how he or she handles security. The chapter also focuses on how the deployer maps this security view to the security management infrastructure of the enterprise.

In today's environment, it is commonplace for EJB applications to control important business functions in the enterprise. Enterprise beans routinely have access to confidential data in the enterprise. To ensure the continued integrity and confidentiality of this data, it is important that only authorized users be permitted to invoke enterprise bean methods. An authorized user is a one whose position or role in the enterprise necessitates that he or she perform the business function implemented by the method, or it may be someone whose managerial responsibilities necessitate access to these business functions. For example, in the case of our example entity bean application in Chapter 8, it is important to ensure that confidential employee information, such as an employee's payroll data, is accessible only to the users who are authorized to access the information, such as the payroll department.

The basic security management problem that confronts an application developer is the diversity of security management approaches. Different enterprises manage security in many different ways in their operational environments. Most often, the goal of an application developer is to develop an application that can be deployed in multiple operational environments. When each such operational environment uses different security mechanisms and policies, it becomes a real challenge to address the security needs of the application.

Because both the application developer and the deployer potentially share the responsibilities for security management, a fine line must be maintained between the two because there are trade-offs when one or the other takes responsibility for implementing security policies. On the one hand, when the application developer designs and codes the security policies into the application, it is easier for the deployer to deploy the application if the policies meet the needs of the operational environment. However, the same application is no longer reusable across multiple operational environments. On the other hand, if the application developer leaves the security of the application to the deployer, the deployer must be familiar with the intimate details of the application to secure it in the operational environment.

The EJB architecture is designed so that the deployer bears the most burden for securing an application. At the same time, the EJB architecture makes the deployer's job easier. The security support in the EJB architecture allows the application developer to pass certain security-related information to the deployer. This information frees the deployer from having to understand the intimate details of the application in order to secure it.

The EJB architecture carefully apportions the responsibility for the security of EJB applications across the multiple EJB roles. The following sections describe the security responsibilities of the individual EJB roles.



Applying Enterprise Javabeans
Applying Enterprise JavaBeans(TM): Component-Based Development for the J2EE(TM) Platform
ISBN: 0201702673
EAN: 2147483647
Year: 2003
Pages: 110

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net