• Post Reply Bookmark Topic Watch Topic
  • New Topic

EJB security questions

 
Hussein Baghdadi
clojure forum advocate
Bartender
Posts: 3479
Clojure Mac Objective C
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all.
I have some questions about EJB security.
1. my servlet is using <run-as> security, this servlet uses an EJB which also defined <run-as> element.
now, when the user is authenticated by the servlet, the role that has been added to the user, will be passed to the EJB to check if he has the authorization. right ?
2. should I specify <method-permission> if I am using <run-as> in both the servlet & EJB ?
3. when we use <use-caller-identity> element for an EJB, what does this mean ?
how an EJB could know the role of the user ?
how the user could supply his role ?
thanks.
 
Hussein Baghdadi
clojure forum advocate
Bartender
Posts: 3479
Clojure Mac Objective C
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
consider the following scenario :
there is no <run-as> in web.xml neither in ejb-jar.xml
we have a user called John, his role is registered.
John visites update servlet which is protected by HTTP authentication.
update servlet uses an EJB component (this EJB allows operations from registered and admin roles).
John provided his username and password correctly so the servlet authentication is ok
and he can display the servlet.
the servlet will pass his role to the EJB in order to check that he has the authorization (from the registered role defined in method-permission element).
did I understod the caller-identity policy ??
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!