9.9. Integrating Web Tier and EJB Tier Security
It's taken a while to get here, but now that we've secured the web tier, we have the core infrastructure in place to secure the rest of the JAW Motors application. Although we've protected access to the InventoryFacadeBean EJB through the Controller Servlet in the web application, the EJB is still vulnerable. Unauthenticated/unauthorized external applications could look up the InventoryFacadeBean and access its administrative methodssaveCars( ) and deleteCars( ). We must protect the EJB tier by securing the administrative methods on the InventoryFacadeBean, yet still allow non-secure access to the non-administrative methodslistAvailableCars( ), findCar( ), and buyCar( ). We'll show how the JBoss security manager, in keeping with the J2EE specification, propagates the user's credentials from the web tier to the EJB container. We now discuss EJB security in greater detail.