Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security with getHandle() in EJBObject

 
Stephan Staeheli
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everybody
I wonder how the security thing works with the getHandle() method in EJBObject. In HFEJB on page 140 is a note, that the security is on a method-by-method basis. I know, how this works but I wonder how the container knows who is on the other side of the EJBObject?

When I do the standard way to get the component interface (over JNDI) I register the user through InitialContext/SECURITY_PRINCIPAL. But when I serialize my handle and bring it to my evil-minded neighbour, can't he use it do what ever he likes with my "user" as principal? Ain't this right?

Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?

Regards,
Stephan
 
Nathaniel Stoddard
Ranch Hand
Posts: 1258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The user information won't be serialized in the handle. So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.

As for your last comment -- I'm a bit confused -- it's hard to have authorization without authentication. If I remember correctly though, HFEJB does talk quite a bit about what happens when a handle gets passed around once it's serialized.
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Stephan Staeheli:
Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?


Since EJB is in business tier of J2EE, all kinds of authentication will be done in web tier via servlets or JSPs... Unless passing those authentications in web tier, the user cannot get into the business tier. So there is only authorization needed to verify that the user has a certain access to do things with EJBs...

Hope it helps...
 
Stephan Staeheli
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Nathaniel Stoddard:
So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.


You thought about authentication, not authorization, right? But how do you authorize yourself to the container? That happens with the Properties in the InitialContext, right? But when you already have a Handle, you don't need a InitialContext and so you don't have to authorize yourself. What happens then, a security exception?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic