Chapter 5. EJB Security

No enterprise solution is complete without the ability to model business processes and perform transactions. These transactions may use existing, or legacy, systems or newly developed applications and databases. J2EE provides the EJB model for simplified development and deployment of high-performance transactional programs called enterprise beans . In particular, WASs specialize in providing containers for deploying and executing enterprise beans. For business applications to progress from small-scale endeavors to the demands of enterprisewide solutions, the development of EJB objects is usually adopted to model the business processes. As with all enterprise transaction processing, security is a key consideration.

This chapter outlines the basics of the EJB model and the relevant security considerations, including EJB support for authentication, authorization, and delegation. In particular, this chapter explains how each of the J2EE/EJB roles is involved in security, from the Enterprise Bean Provider to the Container Provider and the System Administrator. This discussion includes descriptions of the declarative security policies defined in the EJB deployment descriptor. This chapter also discusses how the EJB container enforces the declarative security policies, as well as how EJB components can programmatically enforce security to address any enterprise security requirements not addressed by the EJB specification. The chapter concludes by describing future directions for EJB security.