Best Practices for EJB Security


You can provide security support to EJBs in two ways:

  • Declarations in the EJB deployment descriptor

  • A programmatic security interface

In general, EJB security settings should be considered within the entire application's security model. It is a recommended practice for Web-based applications to handle authentication within the Web tier. That way, the EJB tier contains very few security constraints. This arrangement simplifies the EJB design and because the security checks are localized to the presentation layer, the application can modify security policies without modifying the EJB tier.

Applications with standalone Java clients often directly access EJBs. Because there is no intermediate tier, the security access control must be handled in the EJB tier.

Declarative security control is preferred for simple applications. Because the security constraints are declared in the deployment descriptor, the bean class's business logic is not coupled with security checks. The declarative security model is based on security roles declared in the deployment descriptor. Declarative security works best when the number of roles is fixed and does not depend on the number of clients. For example, an EJB might include a user role and an admin role. Because there are only two access domains, it is quite easy to declare these roles in the deployment descriptor.

WLS Builder enables you to easily add security constraints in your deployment descriptors. Using declarative security has the advantage of the security policies being independent of the bean code. Security settings can easily be adjusted at deploy time to match the constraints of the runtime environment.

However, declarative security should not be used when each user requires individual security constraints. Such applications require programmatic security checks within the EJB code. It is also common practice to combine both security models. For example, a trader bean might use declarative security to ensure that only registered traders access any methods . The bean code then includes additional constraints to ensure that each trader gains access only to his account.



BEA WebLogic Platform 7
BEA WebLogic Platform 7
ISBN: 0789727129
EAN: 2147483647
Year: 2003
Pages: 360

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net