11.1 Responsibilities of the System Administrator

Previous page
Table of content
Next page

The system administrator is responsible for the overall security configuration of the enterprise's network environment. Although most of the system administrator's tasks are independent of specific applications deployed in the enterprise, these security administration tasks affect the deployment of EJB applications.

In this section, we describe the security administration procedures relevant to the discussion of EJB application security. Keep in mind that the EJB specification does not define or require these procedures; rather, they are typically used in enterprise environments.

The following system administration tasks are relevant to the deployment of an EJB application:

  • Administering security principals A security principal roughly corresponds to a user account. Administering security principals includes such tasks as adding and removing user accounts, adding a user account to the appropriate user groups, and so forth. A user group represents a group of users having a certain set of privileges. A user account may belong to multiple user groups.

  • Managing the necessary principal mappings on the enterprise's network Principal mapping is required in certain circumstances when related applications run in different security domains. For example, the system administrator must manage principal mapping when an application running in one security domain invokes an application or a database in a different security domain, and each security domain has its own set of security principals.

  • Integrating the EJB container into the enterprise's secure network environment

Let's look at some of the tasks that a system administrator at Star Enterprise may perform that are relevant to the deployment of the benefits application described in Chapter 8.

11.1.1 Administering Users and Security Principals

To begin, the Star Enterprise system administrator manages the user accounts and user groups. The system administrator creates a user account for a new employee. Depending on the employee's role in the enterprise, the system administrator adds the user account to the appropriate user groups. For example, when Mary Smith joins the benefits administration department as the department director, the system administrator creates a user account for her and adds her user account to the employees, payroll-department, and directors user groups.

The user account information is used for authentication and authorization purposes. Authentication takes place when a user connects to the system. For example, when Mary Smith logs in to her computer, she first needs to authenticate herself prove that she is indeed Mary Smith to the enterprise network security manager.

After she authenticates herself, Mary's session is associated with a security token. The security token represents the information from her user account, including the user groups to which the user account belongs, and it allows applications and servers to check authorizations. When Mary invokes an application or a database on the enterprise's network, the security token is passed along with the request to the target application or database. The target application or database server uses the passed security token to check whether Mary Smith is authorized to access the requested application or data.

11.1.2 Managing Principal Mapping

Passing the security token works only if the target application or database system understands the security token. If it is in a different security domain, the target application or database system may not understand the token. Such a situation necessitates one of two solutions:

  1. The user needs to log in to the target system. Mary Smith has to log in a second time, directly to the target application or database system.

  2. The enterprise security infrastructure maps the security token associated with Mary Smith's original session with her computer to another security token that is usable on the target system.

This second technique, called principal mapping, is managed by the system administrator. Principal mapping allows Mary Smith to use a single password across the entire set of applications and database systems at Star Enterprise.

In our benefits application example, the payroll system is an application running on a mainframe. The payroll system does not understand the security token received from the network on which Mary Smith's computer resides. In order for the payroll system to recognize Mary Smith or any other user from that network as an authorized user, the Payroll App Server EJB container (see Figure 8.1 on page 246) needs to perform principal mapping on the calls coming to the mainframe payroll application.

For the EJB container to perform principal mapping, the system administrator must have already set it up. The principal mapping maps all clients of PayrollEJB to a single mainframe user. From the perspective of the mainframe, all instances of PayrollBean use the identity of a single mainframe user, which we'll call payroll user, to invoke the mainframe payroll system. Within the mainframe environment, the payroll user is authorized to access all the information needed by PayrollEJB. Figure 11.1 illustrates mapping of principals.

Figure 11.1. Principal Mapping

graphics/11fig01.gif


Previous page
Table of content
Next page
Applying Enterprise Javabeans
Applying Enterprise JavaBeans(TM): Component-Based Development for the J2EE(TM) Platform
ISBN: 0201702673
EAN: 2147483647
Year: 2003
Pages: 110
Authors: Vlada Matena, Beth Stearns
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Metrics and Models in Software Quality Engineering (2nd Edition)
Oracle Developer Forms Techniques
The Complete Cisco VPN Configuration Guide
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy