JEE and EJB provide a set of services that developers can integrate declaratively or programmatically. These services include authorization and authentication.
authentication and identification
authentication is to verify that the user is who claims to be. In an EJB system, a user is associated with Secured identity, this is ready to be used by the EJB. When a client invokes a method on an EJB, the server passes the client's identity with the method invocation. When the EJB container receives the invocation validates the user's identity and whether it can invoke the method invoked. 
When you access an EJB many applications use the JNDI API, for example we can authenticate access to an EJB as follows: properties.put (Context.SECURITY_PRINCIPAL, "username"); properties.put (Context.SECURITY_CREDENTIALS, "password"); Context ctx = new InitialContext (properties);
jndiContext.lookup Object ref = ("SecureBean / remote");
SecureRemoteBusiness remote = (SecureRemoteBusiness) ref;
In the example, the user is authenticated with the connection to the "JNDI InitialContext"
Authorization.
Roles are defined in a logical and may represent roles, groups, or any other identification. The roles of the EJBs are mapped to actual users and groups when the bean is deployable.
applications as we know we are not all equal, each user has a role to an application such as "administrator", "employee", etc.. and each role can do or not do certain actions, ie have or not have permission to. In
EJB there are different types of granularity of permissions can be set per user or role. This allows authentication to a separate process of approval.
Permission is well defined in the EJB specification. Roles are declared programmatically and then indicate the permissions for the beans through annotations and ejb-jar.xml incurring
saw so EJB security theory in a future post we will do something more practical.
0 comments:
Post a Comment