session 8 tp8

Adding Functionality to Bean

Session8

ACCP2005 / EJB 2.0/ Session 8/ 2 of 29

Objectives

Define the EJB context

Differentiate between Authentication and Authorization

Use the JAAS (Java Authentication and Authorizing Service ) interface

Recognize the importance of security in EJBs

Define Security Propagation

Define Object Handles in EJB


Review (1)

A container-managed persistent entity bean will let the container handle all the data access logic.

The container in a CMP can persist every field and it does this behind the scenes.

The fields present in the primary key class have to come from the container-managed fields of the entity bean. This will allow the container to set and extract the entity bean’s primary key fields.

In a container-managed persistent entity bean, the container manages the persistent operations.

The home interface of the bean defines the create() method. This is defined so that a new item can be created in the database.

The container-managed fields of the entity bean class have the primary key fields.


Review (2)

When the bean is deployed, JAWS will look for the jaws.xml file and on locating it, will read and configure the names of the database tables.

A jar file is created to package the three Java files, namely, the remote interface, the bean class, and the home interface. The jar file will build an archive, which will contain the three classes and the XML files. The XML files are present in the META-INF directory.

In CMP, the container performs persistence, and so it is very difficult for the developer to know the operations being performed. The container has to be decompiled, and only then will the code be available.

CMP entity beans help to develop persistent code, which results in rapid development of the application.


EJB Context

The information about the status of the bean is

Transactions performed by the

bean and those involving the beanEnvironment Properties

Home Object of the bean Security


EJB Context – The Gateway to the Container

Container

Gateway

EJB context object

is the to the

EJB context objects can be accessed from within the beans. Hence, callbacks to the container can be performed using these context objects


Methods under javax.ejb.EJBContext

Methods in javax.ejb.EJBContext

getUserTransaction()getHome()

getRollbackOnly()getCallerPrincipal()

setRollbackOnly()isCallerInRole(String role)


Contexts in Session Beans

There are two types of contexts for the two types of beans in EJB Session Contexts : For session beans Entity Contexts : For entity beans

The session context interface is

public interface javax.ejb.SessionContext extends javax.ejb.EJBContext{ public javax.ejb.EJBObject getEJBObject();}


SessionContext.getEJBObject() and

EntityContext.getEJBObject()

The advantage of Enterprise JavaBeans is that one bean can act as a client for the other beans.

When a bean has to make a call to another bean, the getEJBObject() method is used.

The this keyword is used in Java to reference the current object; in EJB this is not possible.


EJB Security

Two important security measures

Authentication

Security is an important issue when one works with enterprise applications.

Authorization


Java Authentication and Authorization Service

In the new EJB 2.0 specifications, authentication has been made portable and robust due to the addition of the (JAAS) Java Authentication and Authorization service, a separate J2EE API.

JAAS is a portable interface that allows users to log into any system without knowing what type of security system is being used.

JAAS also enables developers to write their own customized authentication modules that can be plugged in without the need to change client code.

The web-browser supplies the credentials in one of four ways. Basic Authentication Form-based Authentication Digest Authentication Certificate based Authentication


Authentication (1)

User

Database containing

usernames and passwords

Security identity

The security identity lasts till the client is connected


JAAS process of Authentication

In the JAAS process of authentication the following steps take place. Client instantiates a new login context which is

responsible for coordinating the authentication process. This login context retrieves a configuration object, which

contains information about the type of login. The login context retrieves from the configuration object,

the list of authentication mechanisms to use. (password-based, certificate-based).

Each item on the list of authentication mechanisms is called a login module.

The login context instantiates as many login modules as required by the several different security providers.

The login context initializes the modules.


JAAS process of Authentication

The login process is started by the client code by calling the login() method on the login context.

The login context passes on the login call to the login modules, since they have all the information about the actual login authentication process.

The login modules authenticate the user (client) using proprietary means. If the login succeeds the module is told to commit() and if it fails it can also abort() the module.

Authentication information is kept in a subject in the context and is used to perform secure operations.

The client code calls remote operations (such as in an EJB component) and the logged-in security context is automatically propagated along with the function call. The server now performs actual authentication based on the authentication data that is passed on in the security context.


Authorization

Authenticated Client

Granting permissions

Authorization

Permissions granted to

client

Programmatic Authorization

Declarative Authorization


Declarative Authorization (1)

Deployment Descriptors

Container Validations

Client

Security Roles Security Constraints

Access Bean Methods


Declarative Authorization (2) Tags in the ejb-jar.xml file are as follows:

<security-role-ref> <role-name> : Assigns a role name to the security identity<role-link> : Links a name with a security role

<security-identity> <run-as>

<role-name>: Assigns a role to each EJB <method-permission>: Determines which role has access to which methods

<role-name> <method>

<ejb-name> <method-name>


Programmatic Authorization

Bean

Security Checks Business Logic

Security checks are hard-coded into the bean.

Bean contains business logic methods with security checks

The signature of the code as well as the origin of the code is verified


Security Roles

Security roles are a collection of client’s identities.

The user’s security identity has to be associated with the correct security role for him to execute a particular operation

General User AuthenticationLogging In Authorization

Well-defined security Role


Access Control

Data

Business objects

Sub systems

Access control policies

User


Using Declarative Security

Security is always a major concern in any middleware service

Declarative security decouples the bean and opens the door to outsiders, thereby enabling them to modify security rules without modifying the bean code.

Security roles can be specified only on the bean class, and these specified security roles are applicable for all instances of the class.


Security Propagation

The two ways of controlling security information in the deployment descriptor are: runAsMode method runAsIdentity method

The runAsMode deployment descriptor setting lists three settings, which can be classified as: CLIENT_IDENTITY SYSTEM_IDENTITY SPECIFIED_IDENTITY


Security Context Propagation Portability

Enterprise JavaBeans do not have specific rules for the way containers deal with security.

JAAS sits at the boundary of the application, authenticates and authorizes each request for a secured page, and activates the JAAS modules.


Understanding EJB Object Handles

Client

Application

Connection between client and server discontinued

EJB Object handlesRetains conversational state


Summary (1)

The information determined by a bean regarding its status during runtime contains information about: The home object of the bean. The transaction that involves the bean. For instance, the bean need not go

through a step if the transaction being performed is going to fail. Security to authorize the client. The bean is capable of performing this by

querying its environment. It can thus ensure that the client has security access levels to perform an operation.

The various environment properties that were responsible for the deployment of the bean.

The main objective of the context is to encapsulate the bean’s domain in a compact object.

The session bean context is called the session context and the entity bean context is known as the entity context.

When a bean has to make a call to another bean, the getEJBObject() method is used. Further, this method is also used when a reference has to be passed to a bean.

Authentication ensures that the identity of the client is true. The username and password are checked against a database, which contains a permanent client profile.


Summary (2)

The process of granting permissions to the correct user is called authorization.

When declarative authorization is performed, the container performs the validations. In such a case, the focus is entirely on business logic.

In programmatic authorization, security checks are coded into the bean. The bean will contain business logic along with security checks.

Security roles can be defined as the collection of clients. The isCallerRole() method ensures that the current caller falls into the

security role. The getCallerPrincipal() method gets back the current caller’s security identity.

Security contexts sum up the security state of the caller and perform their functions behind the scenes.

EJB does not have specific rules for the way containers deal with security.

The EJB object handle can be defined as a long-lived proxy for an EJB object. In case the client disconnects himself from the EJB server or container, the EJB object handle can be used to reconnect to get back the conversational state with the particular bean.

In the new EJB 2.0 specifications, the JAAS architecture makes security more portable and robust.

session 8 tp8

Technology

bean security

authentication information

login process

new login context

login modules

jaas process of authentication

jaas java authentication

login method