Hello everybody I wonder how the security thing works with the getHandle() method in EJBObject. In HFEJB on page 140 is a note, that the security is on a method-by-method basis. I know, how this works but I wonder how the container knows who is on the other side of the EJBObject?
When I do the standard way to get the component interface (over JNDI) I register the user through InitialContext/SECURITY_PRINCIPAL. But when I serialize my handle and bring it to my evil-minded neighbour, can't he use it do what ever he likes with my "user" as principal? Ain't this right?
Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?
The user information won't be serialized in the handle. So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.
As for your last comment -- I'm a bit confused -- it's hard to have authorization without authentication. If I remember correctly though, HFEJB does talk quite a bit about what happens when a handle gets passed around once it's serialized.
Originally posted by Stephan Staeheli: Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?
Since EJB is in business tier of J2EE, all kinds of authentication will be done in web tier via servlets or JSPs... Unless passing those authentications in web tier, the user cannot get into the business tier. So there is only authorization needed to verify that the user has a certain access to do things with EJBs...
Hope it helps...
Co-author of SCMAD Exam Guide, Author of JMADPlus SCJP1.2, CCNA, SCWCD1.4, SCBCD1.3, SCMAD1.0, SCJA1.0, SCJP6.0
Originally posted by Nathaniel Stoddard: So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.
You thought about authentication, not authorization, right? But how do you authorize yourself to the container? That happens with the Properties in the InitialContext, right? But when you already have a Handle, you don't need a InitialContext and so you don't have to authorize yourself. What happens then, a security exception?
them good ole boys were drinking whiskey and rye singin' this'll be the day that I die. Drink tiny ad.