Briefly describe the EJB security model.
Declarative model security : - In the earlier EJB architecture, security model of EJB is a declarative model.
- In this model the avoidance of the security code in the business model is implemented.
- Later the encouraging for bean provider to implement the enterprise bean security model is encouraged by the EJB architecture without hard coding these methods in the business methods.
- The EJB encourages the configuration at the deployment time for the security policies of the EJB application.
- In the enterprise environment this is one of the most appropriate approach.
- The ejb-jar elements for a security role are:
<security-role> :- The definition of the security role is specified in this element.
<role-name> :- The name of the role for the security is mentioned in this element. The name can be Admin, Architect,Owner.
<description> :- The description about the security model is given in the tag which is optional.
Custom Security :- Custom security encourages the bean provider to specify a mechanism for the security.
- The needs the business method to implement the security logic.
- The methods that support custom security at bean level are:
- java.security.Principal getCallerPrincipal()
- boolean isCallerInRole(java.lang.String roleName)
- Any security validation type can be customised along with these methods.
What are the EJB-specific issues in security management?
Authentication :- This is the security management issue that is handled by the EJB container.
- This security level is used to identify the verification of the user.
Authorization :- This ensures that the accessibility to the private resources only by the authorized user. To have the accessibility, the user is mandatory to authorized first.
Secure Communication : - The secure communication is ensured by the following guidelines:
1. The boundaries specified in the server must be observed strictly.
2. It is mandatory to use only the authorised API to communicate between the customer and the EJB application.
3. The roles for the users and users group should be appropriate that they use the right and relevant applications.
What are the ways to authenticate a client before it contacts the server?
- To authenticate a client container, first it is needed to authenticate which application server ensures that all the user roles will have the same name as corresponding the application server groups.
- The next step is to define the group with the appropriate name with one or more associated users.
- Every EJB application client authenticated by using Interoperable Object Reference, which was created for CORBA.
- All java EE compliant containers are supported by IOR.
- It is needed to specify the invoked EJB, a bean in the deployment descriptor.
- The following elements are to be scripted in ejb-jar.xml file:
1. <as-context> - To indicates that the IOR authentication service. The authentication mechanism specifies here.
2. The authentication method is specified by the <auth-method> tag.
3. This is set to USERNAME_PASSWORD which is the only value for an application client.
4. The client authenticated realm is specified by the <realm> tag.
5. The <required> element specifies whether the above authentication method is required to be used for client authentication.
Explain the steps involved in security design for EJB application.
1. Specify the web-tier security by specifying access control and authorised users.
2. Specify the EJB-tier security by specifying method permissions,programmatic security and unprotected web resources.
3. Specify the application-client security with various permissions for the client.
