Download EJB Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts
no text concepts found
Transcript 
EJB Security
CSCI 5931 Web Security
Kartikeya Kakarala
Young Ho Choung
Contents
–
–
–
–
–
–
–
–
–
Introduction
Traditional Client/Server Architecture
Multi-tier Architecture
EJB Architecture & its Roles
EJB Security model
Method Permissions
Programmatic Security
Conclusions
References
Enterprise Java Beans
Introduction
• Enterprise Java Beans (EJB) is a standard server
side component model
• The EJB architecture logically extends the Java
Beans component model to support server
components
• An EJB is a non-visual Java Bean that runs on a
server
Introduction(cont..)
• An EJB is
–
–
–
–
–
A collection of Java classes
An XML file
Bundled into a single unit
The Java classes must follow certain rules
The Java classes must provide callback methods
Traditional Client/Server
Architecture
• In a traditional client/server application, the client
application contains:
– presentation logic(windows and control manipulation)
– business logic(algorithms and business rules)
– data manipulation logic(database connections and SQL
Queries)
Multi-tier Architecture
• Client applications contain only presentation logic
– a thin client
• Business logic and data access logic are
partitioned into separate components and deployed
onto one or more servers
EJB Architecture
• EJB Architecture is gaining broad acceptance due
to it’s high value benefits that address directly the
needs of today's diverse server development
community like
–
–
–
–
–
–
–
Scalability
Simplicity
Ease of development
Security
Interoperability
Component based computing
Application Containers
EJB Architecture Roles
• Various EJB Architecture roles handle EJB
development and deployment. They are:–
–
–
–
–
–
Bean Provider
Application Assembler
Deployer
EJB Service Provider
EJB Container Provider
System Administrator
Bean Provider
• The Bean Provider
– Writes the individual Enterprise Java Beans.
– Can be a Business entity or system encapsulated as
entity or session beans.
– Creates deployment descriptor.
Application Assembler
• An Application Assembler
– Creates a full application from individual beans
– May also create JSP’s and servlets that utilize those
beans.
– Edits the Deployment Descriptors to fit the application.
Deployer
• A Deployer
– Deploys the application into a running EJB Server.
– Sets up interaction between architecture as envisioned
by the assembler and actual environment in which it
runs.
EJB Service Provider &
EJB Container Provider
• The EJB Service Provider & EJB Container
Provider Work together to write the EJB Server.
– Figure displaying the EJB model
System Administrator
• The System Administrator
– Takes care of the computer systems that run the EJB
Server and related services.
– Administrates Operating systems and network related
to the server.
EJB Security model
• EJB 1.1 security model is
– Role based, and helps to restrict access to beans and
their methods based on a client’s role.
– It provides an easy way to control who can call which
beans and methods and automatically establishes the
identity of the caller.
– Example of defining roles is an online banking
application pg 239,240
Examples of Security Goals
– A customer can access only her own account
– A trader can only execute transactions that have a value
less than one million Swiss francs
– A tax inspector is prohibited from modifying her own
tax liability data
– An underage subscriber does not have access to an Xrated online movie
Method Permissions
• Access to the beans and their methods can be made
limited based on their roles.
• For this each role must be listed in the deployment
descriptor.
• Method permissions are defined using method
permission elements.
• Each method permission element contains a rolename element and one or more EJBs and their
methods,as defined by ejb-name and method-name
elements.Sample of the method pg 240-241.
Programmatic Security
• Normally Application Assembler and the Deployer
configure security in a EJB server.
• Programmatically sometimes bean provider has to
access some security information,for which EJB
provides 2 methods
– Principal getCallerPrincipal()
– Boolean isCallerInRole(String roleName)
First Method
• getCallerPrincipal()
– It returns a Principal object corresponding to the
identity of the caller.
– It allows the use of the identity of the caller inside the
code of the bean.
– Example :-If we want a customer to view their own
balance but nobody else’s.We could do that by calling
the principal of the caller and use that to fetch their
account.
– pg 242.
Second Method
• isCallerInRole()
– Boolean function returning true if the caller is in the
role or returns false
– Used usually when simple permissions are not enough.
– Example:- if we have a situation where we need to give
permission to bankers to only add up to 1000$ to an
account at a time and admin be given all rights.This can
be done as Pg 243
Security-role-ref Element
• The Security-role-ref element
– It alerts the Application assembler and the Deployer if a
particular role has dependency in a bean.
– < Security-role-ref >
<description>
This security role will have no limit on the size
of transaction
</description>
<role-name>admin</role-name>
< /Security-role-ref >
– Pg 243
Conclusions
• EJB Security focus on minimal programmatic and
declarative access control mechanisms.
• This mechanism provides role-based access
control for EJB.
• Access restriction can be successfully obtained
using EJB Security model.
References
• Garms, Jess and Daniel Somerfield. Professional Java
Security. Wrox. 2001. (ISBN: 1861004257)
• Article on EJB Security by Paul Perrone,
http://www.informit.com
• www.ibm.com/research/security
• www.javaworld.com/javaworld/jw-02-2002/ jw-0215ejbsecurity.html
• www.java.sun.com/ejbsecurity
Related documents
Gen
Gen
Slide 1
Slide 1
RTET - A Round Trip Engineering Tool
RTET - A Round Trip Engineering Tool
Enterprise JavaBeans Training | EJB Course | EJB Programming
Enterprise JavaBeans Training | EJB Course | EJB Programming
JeeWiz The Java Enterprise System Builder
JeeWiz The Java Enterprise System Builder
J2EE Part 2: Enterprise JavaBeans
J2EE Part 2: Enterprise JavaBeans
Entity Java Beans
Entity Java Beans
EJB disadvantages
EJB disadvantages
Developing Software Agents Using Enterprise JavaBeans
Developing Software Agents Using Enterprise JavaBeans
What is EJB
What is EJB
EJB - Agile Computers
EJB - Agile Computers
J2EE Security and Enterprise Java Beans
J2EE Security and Enterprise Java Beans
Enterprise Java Beans I
Enterprise Java Beans I
ejb
ejb
Java Pet Store Application
Java Pet Store Application
Enterprise JavaBeans
Enterprise JavaBeans
Enterprise Java Beans(EJB)
Enterprise Java Beans(EJB)
Oracle – 1Z0-897 Java Platform, Enterprise Edition 6 Web Services
Oracle – 1Z0-897 Java Platform, Enterprise Edition 6 Web Services
Enterprise JavaBeans (EJB) for JBuilder
Enterprise JavaBeans (EJB) for JBuilder
EJB server
EJB server
Detecting Dependencies in Enterprise JavaBeans with SQuAVisiT
Detecting Dependencies in Enterprise JavaBeans with SQuAVisiT
EJB •EJB is a server-side component architecture that simplifies the
EJB •EJB is a server-side component architecture that simplifies the