This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

EJB security questions  RSS feed

 
Hussein Baghdadi
clojure forum advocate
Bartender
Posts: 3479
Clojure Mac Objective C
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all.
I have some questions about EJB security.
1. my servlet is using <run-as> security, this servlet uses an EJB which also defined <run-as> element.
now, when the user is authenticated by the servlet, the role that has been added to the user, will be passed to the EJB to check if he has the authorization. right ?
2. should I specify <method-permission> if I am using <run-as> in both the servlet & EJB ?
3. when we use <use-caller-identity> element for an EJB, what does this mean ?
how an EJB could know the role of the user ?
how the user could supply his role ?
thanks.
 
Hussein Baghdadi
clojure forum advocate
Bartender
Posts: 3479
Clojure Mac Objective C
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
consider the following scenario :
there is no <run-as> in web.xml neither in ejb-jar.xml
we have a user called John, his role is registered.
John visites update servlet which is protected by HTTP authentication.
update servlet uses an EJB component (this EJB allows operations from registered and admin roles).
John provided his username and password correctly so the servlet authentication is ok
and he can display the servlet.
the servlet will pass his role to the EJB in order to check that he has the authorization (from the registered role defined in method-permission element).
did I understod the caller-identity policy ??
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!