15.5 Secure Association

Securing the communication between containers is one part of a secure exchange of information. In addition to establishing an SSL session, it is important for the servers that host containers to verify the identity of the servers with which they are communicating. In the request flow depicted in Figure 15.1 on page 528, the Web container should validate the EJB container before propagating the request to invoke an enterprise bean. It is equally important for the EJB container to validate the trust it has on the invoking container. What is needed to provide such a trusted link is the facility to establish a secure association between the layers and to ensure secure interoperablity.

If WASs communicate over IIOP, the WASs themselves can use CSIv2 to establish a secure association. If HTTP is used, the client and the server can engage in mutual-authentication SSL via HTTPS. Alternatively, the client can send its identity to the server as part of the HTTP header over a server-side SSL connection (see Section 3.11 on page 95). In general, appropriate security mechanisms should be used to ensure a secure and trusted communication link between the conversing servers, depending on the protocol of communication.