security8.html

j2eePDF格式的电子书

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>EJB-Tier Security</title>
    <link rel="StyleSheet" href="document.css" type="text/css" media="all" />
    <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" />
    <link rel="Table of Contents" href="J2EETutorialTOC.html" />
    <link rel="Previous" href="Security7.html" />
    <link rel="Next" href="Security9.html" />
    <link rel="Index" href="J2EETutorialIX.html" />
  </head>

  <body>

    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security7.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security9.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

    <blockquote>
<a name="wp299468"> </a><h2 class="pHeading1">
EJB-Tier Security
</h2>
<a name="wp299469"> </a><p class="pBody">
The following sections describe declarative and programmatic security mechanisms that can be used to protect resources in the EJB tier. The protected resources include methods of enterprise beans that are called from application clients, Web components, or other enterprise beans. 
</p>
<a name="wp299471"> </a><p class="pBody">
You can protect EJB-tier resources by doing the following:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp299472"> </a><div class="pSmartList1"><li>Declaring method permissions</li></div>
<a name="wp299473"> </a><div class="pSmartList1"><li>Mapping roles to J2EE users and groups</li></div>
</ul></div>
<a name="wp299476"> </a><p class="pBody">
For information about mapping roles to J2EE users and groups, see <a  href="Security3.html#wp298631">Mapping Roles to Users and Groups</a>.
</p>
<a name="wp299478"> </a><h3 class="pHeading2">
Declaring Method Permissions
</h3>
<a name="wp299482"> </a><p class="pBody">
After you've defined the roles (see <a  href="Security3.html#wp79740">Setting up Security Roles</a>), you can define the method permissions of an enterprise bean. Method permissions indicate which roles are allowed to invoke which methods. You can define method permissions in different ways.
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp299484"> </a><div class="pSmartList1"><li>You can apply method permissions to all of the methods of the specified enterprise bean's home, component, and/or Web service endpoint interfaces.</li></div>
<a name="wp299485"> </a><div class="pSmartList1"><li>You can apply method permissions to the specified method of the enterprise bean. If the enterprise bean contains multiple methods with the same method name, the method permission applies to all of the methods.</li></div>
<a name="wp299486"> </a><div class="pSmartList1"><li>If the enterprise bean contains multiple methods with the same method name but the methods have different method parameters (such as <code class="cCode">create(a,b)</code> and <code class="cCode">create(a,b,c)</code>), you can apply method permissions by specifying the method parameters.</li></div>
</ul></div>
<a name="wp299497"> </a><p class="pBody">
In general, use <code class="cCode">deploytool</code> to specify method permissions by mapping roles to methods:
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp299498"> </a><div class="pSmartList1"><li>Select the enterprise bean.</li></div>
<a name="wp299499"> </a><div class="pSmartList1"><li>Select the Security tab.</li></div>
<a name="wp430147"> </a><div class="pSmartList1"><li>Select the interface type (Local, Local Home, Remote, or Remote Home) and the table displays methods contained in the selected interface. If no interfaces have been defined, the interface buttons will be disabled.</li></div>
<a name="wp299500"> </a><div class="pSmartList1"><li>In the Method permissions table, select Sel Roles in the Availability column.</li></div>
<a name="wp299501"> </a><div class="pSmartList1"><li>Then select a role's checkbox if that role should be allowed to invoke a method.</li></div>
</ol></div>
<a name="wp439865"> </a><h3 class="pHeading2">
Configuring IOR Security
</h3>
<a name="wp439976"> </a><p class="pBody">
Enterprise beans that are deployed in one vendor's server product are often accessed from J2EE client components that are deployed in another vendor's product. Common Secure Interoperability version 2 (CSIv2), a CORBA/IIOP-based standard interoperability protocol, addresses this situation by providing authentication, protection of integrity and confidentiality, and principal propagation for invocations on enterprise beans, where the invocations take place over an enterprise's intranet.
</p>
<a name="wp439977"> </a><p class="pBody">
CSIv2 config settings are specified in the Interoperable Object Reference (IOR) of the target enterprise bean. In the IOR security configuration dialog, you can specify the security information for the Interoperable Object Reference (IOR). 
</p>
<a name="wp439978"> </a><p class="pBody">
To get to the IOR security configuration dialog, select the enterprise bean to which you want to add the settings in the <code class="cCode">deploytool</code> tree view. From the General tabbed pane, select Sun-specific Settings. In the General sub-pane of the EJB Settings pane, press the IOR button.
</p>
<a name="wp439979"> </a><p class="pBody">
In the Transport Configuration sub-pane:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp439980"> </a><div class="pSmartList1"><li>The Integrity field specifies if the target supports integrity-protected messages for transport.</li></div>
<a name="wp439981"> </a><div class="pSmartList1"><li>The Confidentiality field specifies if the target supports privacy-protected messages (SSL) for transport.</li></div>
<a name="wp439982"> </a><div class="pSmartList1"><li>The Establish Trust in Target field specifies whether or not the target component is capable of authenticating to a client for transport. Used for mutual authentication (validate the server&#39;s identity).</li></div>
</ul></div>
<a name="wp439983"> </a><p class="pBody">
The Establish Trust in Client field specifies whether or not the target component is capable of authenticating a client for transport (target asks the client to authenticate itself).
</p>
<a name="wp439984"> </a><p class="pBody">
In each of these fields, you can select whether the item is supported, required, or none (not activated).
</p>
<a name="wp439985"> </a><p class="pBody">
In the As Context sub-pane:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp439986"> </a><div class="pSmartList1"><li>Use the Required drop-down list to identify if the authentication method specified is required to be used for client authentication. Setting this field to True indicates that the authentication method specified is required; False indicates the method authentication is not required.</li></div>
<a name="wp439987"> </a><div class="pSmartList1"><li>Use the Authorization Method drop-down list to authenticate the client. The only supported value is <code class="cCode">USERNAME_PASSWORD</code>.</li></div>
<a name="wp439988"> </a><div class="pSmartList1"><li>Use the Realm field to identify the realm in which the user is authenticated.</li></div>
</ul></div>
<a name="wp439989"> </a><p class="pBody">
In the Duke&#39;s Bank example, the As Context setting is used to require client authentication (with username password) when access to protected methods in the <code class="cCode">AccountControllerBean</code> and <code class="cCode">CustomerControllerBean</code> components is attempted. 
</p>
<a name="wp439990"> </a><p class="pBody">
In the Sas Context sub-pane:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp439991"> </a><div class="pSmartList1"><li>Use the Caller Propagation drop-down list to identify whether or not the target component will accept propagated caller identities.</li></div>
</ul></div>
<a name="wp439992"> </a><p class="pBody">
In the Duke&#39;s Bank example, the Sas Context setting is set to Supported for the <code class="cCode">AccountBean</code>, <code class="cCode">CustomerBean</code>, and <code class="cCode">TxBean</code> components, indicating that these target components will accept propagated caller identities.
</p>
<a name="wp299503"> </a><h3 class="pHeading2">
Using Programmatic Security in the EJB Tier
</h3>
<a name="wp299507"> </a><p class="pBody">
Programmatic security in the EJB tier consists of the <code class="cCode">getCallerPrincipal</code> and the <code class="cCode">isCallerInRole</code> methods. You can use the <code class="cCode">getCallerPrincipal</code> method to determine the caller of the enterprise bean, and the <code class="cCode">isCallerInRole</code> method to determine if the caller has the specified role.
</p>
<a name="wp299508"> </a><p class="pBody">
The <code class="cCode">getCallerPrincipal</code> method of the <code class="cCode">EJBContext</code> interface returns the <code class="cCode">java.security.Principal</code> object that identifies the caller of the enterprise bean. (In this case, a principal is the same as a user.) In the following example, the <code class="cCode">getUser</code> method of an enterprise bean returns the name of the J2EE user that invoked it:
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
public String getUser() {
   return context.getCallerPrincipal().getName();
}<a name="wp299509"> </a>
</pre></div>
<a name="wp299510"> </a><p class="pBody">
You can determine whether an enterprise bean's caller belongs to the <code class="cCode">Customer </code>role.
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
boolean result = context.isCallerInRole(&quot;Customer&quot;);<a name="wp299511"> </a>
</pre></div>
<a name="wp299512"> </a><h3 class="pHeading2">
Unauthenticated User Name
</h3>
<a name="wp299513"> </a><p class="pBody">
Web applications accept unauthenticated Web clients and allow these clients to make calls to the EJB container. The EJB specification requires a security credential for accessing EJB methods. Typically, the credential will be that of a generic unauthenticated user.
</p>
    </blockquote>

   <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">


    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security7.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security9.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

<p><font size="-1">All of the material in <em>The J2EE(TM) 1.4 Tutorial</em> is 
<a href="J2EETutorialFront2.html">copyright</a>-protected and may not be published in other works
without express written permission from Sun Microsystems.</font>

  </body>
</html>