Hello Friends, Here is an question about EJB deployers responsibilities for Security Management. I am not able to understand many of the concepts related to Security Management. Please do point to a place where these concepts are defined.
Here is the question: Identify responsibilities for the EJB deployer from the options below? [Select all correct answers] 1Along with the Application Assembler define the appropriate security policies for the application. 2Setting up the appropriate security policy for the enterprise bean application. 3Along with the System Administrator setting up of the principal delegation in a Container-specific way. 4Describe all the requirements for the caller's principal management of inter-enterprise bean invocations as part of the description.
The correct answer is 1,2,3 and the explanation is: The responsibilities as described in the EJB specification state that the Bean Provider and Application Assembler should describe all the requirements for the caller's principal management of inter-enterprise bean invocations as part of the description.
The Bean Provider should neither implement security mechanisms nor hard-code security policies in the enterprise bean's business methods.
The Bean Provider and Application Assembler may use the deployment descriptor to convey security-related information to the Deployer.
Deployer sets up the appropriate security policy for the enterprise bean application. Application Assembler and Deployer define the appropriate security policies for the application.
The management of caller principals passed on inter-enterprise bean invocations (i.e. principal delegation) is set up by the Deployer and System Administrator in a Container-specific way. For this reason 4 is incorrect as this is a responsibility of the Bean Provider.
I am not clear about the following issues: 1. What is "caller's principal management of inter-enterprise bean invocations"? Is it changing the calling principal of the bean using the "run-as" tag? 2. What is exactly meant by a security policy and how is it different from a security view? In my opinion a security view consists of security roles and method permissions and it specifies that which roles has which method permissions. Is a security policy a collection of security views? 3. How is defining appropriate security policies for the application different from setting up a security policy for the entire enterprise application? (Difference between option 1 and 2) 4. What is meant by "setting up of the principal delegation in a Container-specific way"?