• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Tim Cooke
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Frank Carver
  • Henry Wong
  • Ron McLeod
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Himai Minh

Security with getHandle() in EJBObject

 
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello everybody
I wonder how the security thing works with the getHandle() method in EJBObject. In HFEJB on page 140 is a note, that the security is on a method-by-method basis. I know, how this works but I wonder how the container knows who is on the other side of the EJBObject?

When I do the standard way to get the component interface (over JNDI) I register the user through InitialContext/SECURITY_PRINCIPAL. But when I serialize my handle and bring it to my evil-minded neighbour, can't he use it do what ever he likes with my "user" as principal? Ain't this right?

Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?

Regards,
Stephan
 
Ranch Hand
Posts: 1258
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The user information won't be serialized in the handle. So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.

As for your last comment -- I'm a bit confused -- it's hard to have authorization without authentication. If I remember correctly though, HFEJB does talk quite a bit about what happens when a handle gets passed around once it's serialized.
 
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Stephan Staeheli:
Or did I just misunderstood page 140 of HFEJB and there is no other authentication, just authorization?



Since EJB is in business tier of J2EE, all kinds of authentication will be done in web tier via servlets or JSPs... Unless passing those authentications in web tier, the user cannot get into the business tier. So there is only authorization needed to verify that the user has a certain access to do things with EJBs...

Hope it helps...
 
Stephan Staeheli
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nathaniel Stoddard:
So, if it is serialized and passed around to somebody else, when the bean is instantiated again, the new user will still have to authorize itself to the container before it can invoke methods.



You thought about authentication, not authorization, right? But how do you authorize yourself to the container? That happens with the Properties in the InitialContext, right? But when you already have a Handle, you don't need a InitialContext and so you don't have to authorize yourself. What happens then, a security exception?
 
them good ole boys were drinking whiskey and rye singin' this'll be the day that I die. Drink tiny ad.
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic