5.3 Authentication

< Day Day Up >

5.3 Authentication The EJB specification does not directly address the issue of authentication and the authentication process. Most of the specification deals with authenticated principals and the actions they can take, such as invoking EJB methods. In most respects, the model follows a simplified version of the Common Object Request Broker Architecture (CORBA) security model. Authentication is the responsibility of the EJB container and could be implemented using JAAS, as described in Chapter 9 on page 289. It is the EJB Container Provider's responsiblity to use, as appropriate, existing authentication mechanisms provided by the underlying platforms or security providers. In the CORBA authentication model, an ORB, such as RMI-IIOP, receives a method invocation request and examines the security attributes of the request prior to method dispatch. If the principals are authenticated, the process moves on to the authorization phase. Aside from the authorization process, the result of authentication appears in several places. In particular, EJB technology includes the concept of a security role. A security role is a set of J2EE permissions to make it easier for the Deployer and the System Administrator to administer authorization. When a client attempts to access an EJB method, the calling principal is logically assigned to zero or more security roles defined by the application, as configured by the Deployer. For the Enterprise Bean Provider, authenticated-user information appears in two methods in the EJBContext interface, as described in Section 5.2.1.3 on page 167. The first method conveying user information is isCallerInRole(). After the requesting principal is authenticated, the principal is assigned one or more security roles. If authorization is successful, the target enterprise bean method is invoked. During the execution of the EJB method, the enterprise bean code can determine whether the caller is a member of a specific security role. The EJB container evaluates whether the user is granted the role, based on the mapping between the String argument to the isCallerInRole() method and the roles declared in the enterprise bean's deployment descriptor. The second method, getCallerPrincipal(), returns a Principal object representing the authenticated principal currently executing the enterprise bean. The result of getCallerPrincipal() is implementation specific and is discussed in Section 5.5. From an authentication perspective, the EJB Container Provider is responsible for providing tools and runtime support for The EJBContext methods getCallerPrincipal() and isCallerInRole() Security role name mappings as defined in the EJB deployment descriptor Tools for the Deployer and the System Administrator to perform security administration, including security role mapping and assignment of roles to principals or user groups Principal authentication and delegation support in the ORB

< Day Day Up >