4.7 Principal Delegation

Frequently, multiple software components are aggregated to create a Web application. Often, these components call other components to perform specific tasks of the application. For example, in our travel agent scenario, the Web user interface calls components that look up travel fares, make reservations , and perform financial transactions. Some of these components need to be executed as though they were called by someone other than the user who initiated the transaction on the client side ”the person using the Web browser. The J2EE security model addresses this requirement through the use of principal delegation (see Section 3.10.3 on page 94). Principal delegation allows an intermediary to perform a task, initiated by a client, using an identity specified in a delegation policy. This is achieved through the declarative security support in J2EE.

In the case of Web applications, a delegation policy specifies whether downstream calls (see Section 3.7.3.4 on page 70) should occur with the authority of a particular J2EE security role. The principal-delegation behavior for downstream calls depends on whether a run-as element in a Web application's deployment descriptor is specified.

• When no run-as element is specified, the default behavior is that the identity calling the servlet is used for downstream method calls. As shown in Figure 4.8, bob is the identity under which both the servlet TravelCustomerServlet and the enterprise bean CustomerInfoBean are invoked.

  Figure 4.8. Principal-Delegation Scenario with No run-as Element

  

• When the Web application's deployment descriptor contains a run-as element, the identity under which the downstream method calls are performed is based on the value of its role- name subelement. As shown in Figure 4.9, if the role-name element in the run-as descriptor is set to the TravelAgent security role, all downstream method calls will be performed under an identity ”for example, agent ”that has been granted TravelAgent role. Which identity is picked to perform the downstream calls depends on the J2EE product implementation. The only requirement is that the identity the J2EE product uses to perform the downstream calls has been granted the specified security role. Listing 4.13 shows a deployment descriptor fragment setting the run-as security role-name element to TravelAgent .

  Figure 4.9. Principal-Delegation Scenario with a run-as Element

  

Listing 4.13. Deployment Descriptor Fragment Containing a run-as Element

 <servlet>    <servlet-name>TravelCustomer</servlet-name>    <description>       Travel customer specific information    </description>    <servlet-class>TravelCustomerServlet</servlet-class>    <run-as>       <role-name>TravelAgent</role-name>    </run-as> </servlet>