• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Need Help with Concepts of Security Management

 
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Friends,
Here is an question about EJB deployers responsibilities for Security Management. I am not able to understand many of the concepts related to Security Management. Please do point to a place where these concepts are defined.

Here is the question:
Identify responsibilities for the EJB deployer from the options below? [Select all correct answers]
1 Along with the Application Assembler define the appropriate security policies for the application.
2 Setting up the appropriate security policy for the enterprise bean application.
3 Along with the System Administrator setting up of the principal delegation in a Container-specific way.
4 Describe all the requirements for the caller's principal management of inter-enterprise bean invocations as part of the description.

The correct answer is 1,2,3 and the explanation is:
The responsibilities as described in the EJB specification state that the Bean Provider and Application Assembler should describe all the requirements for the caller's principal management of inter-enterprise bean invocations as part of the description.

The Bean Provider should neither implement security mechanisms nor hard-code security policies in the enterprise bean's business methods.

The Bean Provider and Application Assembler may use the deployment descriptor to convey security-related information to the Deployer.

Deployer sets up the appropriate security policy for the enterprise bean application. Application Assembler and Deployer define the appropriate security policies for the application.

The management of caller principals passed on inter-enterprise bean invocations (i.e. principal delegation) is set up by the Deployer and System Administrator in a Container-specific way. For this reason 4 is incorrect as this is a responsibility of the Bean Provider.

I am not clear about the following issues:
1. What is "caller's principal management of inter-enterprise bean invocations"? Is it changing the calling principal of the bean using the "run-as" tag?
2. What is exactly meant by a security policy and how is it different from a security view? In my opinion a security view consists of security roles and method permissions and it specifies that which roles has which method permissions. Is a security policy a collection of security views?
3. How is defining appropriate security policies for the application different from setting up a security policy for the entire enterprise application? (Difference between option 1 and 2)
4. What is meant by "setting up of the principal delegation in a Container-specific way"?
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic