5.4 Authorization

 <  Day Day Up  >  

Much of EJB security is concerned with authorization. In general, access to a deployed enterprise bean is via an ORB, such as RMI-IIOP. EJB authorization is based on a simplified CORBA security model, through which it is possible to establish whether an authenticated principal is authorized to invoke a method accessible via the ORB. The only architected means for a calling client to call a method on an enterprise bean is by calling it through RMI-IIOP.

As described in Section 5.2.2.1 on page 177 and Section 5.2.2.2 on page 178, the deployment descriptor defines security roles that are authorized to execute each of the EJB methods . If a method anywhere in the deployment descriptor is part of an exclude-list element, the method is not accessible from outside the bean itself, so requests from clients to call the method are rejected. Conversely, if a method name appears under the unchecked element, any client is authorized to call the method. When a method has more than one security role associated with it, any authenticated client that is a member of one or more of the security roles required for the method is authorized to call the method. The client need not be a member of all the security roles but must be a member of at least one security role.

EJB clients are constrained in how they are allowed to manage their security contexts, as these affect authorization.

  • Transactional clients are not allowed to change their principal within a transaction.

  • Session bean clients are not allowed to change their principal for the duration of communication with the session object.

  • Finally, if a request for a specific transaction arrives from multiple clients, all the clients must have the same security context.

 <  Day Day Up  >  


Enterprise Java Security. Building Secure J2EE Applications
Enterprise Javaв„ў Security: Building Secure J2EEв„ў Applications
ISBN: 0321118898
EAN: 2147483647
Year: 2004
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net