• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

EJB security questions

 
clojure forum advocate
Posts: 3479
Mac Objective C Clojure
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all.
I have some questions about EJB security.
1. my servlet is using <run-as> security, this servlet uses an EJB which also defined <run-as> element.
now, when the user is authenticated by the servlet, the role that has been added to the user, will be passed to the EJB to check if he has the authorization. right ?
2. should I specify <method-permission> if I am using <run-as> in both the servlet & EJB ?
3. when we use <use-caller-identity> element for an EJB, what does this mean ?
how an EJB could know the role of the user ?
how the user could supply his role ?
thanks.
 
Hussein Baghdadi
clojure forum advocate
Posts: 3479
Mac Objective C Clojure
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
consider the following scenario :
there is no <run-as> in web.xml neither in ejb-jar.xml
we have a user called John, his role is registered.
John visites update servlet which is protected by HTTP authentication.
update servlet uses an EJB component (this EJB allows operations from registered and admin roles).
John provided his username and password correctly so the servlet authentication is ok
and he can display the servlet.
the servlet will pass his role to the EJB in order to check that he has the authorization (from the registered role defined in method-permission element).
did I understod the caller-identity policy ??
 
LOOK! OVER THERE! (yoink) your tiny ad is now my tiny ad.
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic