Home > Articles > Programming > Java

EJB Security

An EJB container/server vendor must provide support for numerous operations, including authentication, identity propagation, and identity delegation. At the same time, the vendor must support secure communication between an EJB client and server and must provide a means for security auditing. Paul Perrone examines these issues in this article.
Like this article? We recommend

Like this article? We recommend

EJB Security Overview

As with any distributed object used in security-critical enterprise applications, EJBs must be secured. However, EJB components operate inside a container environment and rely on the container to provide distributed connectivity to an EJB, to create and destroy EJB instances, to passivate and activate EJB instances, to invoke business methods on EJBs, and to generally manage the life cycle of an EJB. Because such control is relinquished to an EJB container/server environment, securing the EJB also relies heavily on the support provided by the EJB container environment. Security mechanisms can distinguish among standard mechanisms required by the J2EE and EJB specifications, mechanisms that are EJB container/server vendor-specific, and mechanisms that may be hand-coded by the EJB developer.

Figure 1 illustrates the basic architecture required for securing EJBs. Standard security mechanisms defined for EJBs are currently largely focused on providing a minimal set of constructs for role-based EJB access control. Standard mechanisms for determining role-based permissions to access EJB methods may be tapped programmatically by EJB components via a few interfaces to the EJB container context, as exposed by the EJB API. Standard EJB method access-control mechanisms can also be defined declaratively with a set of standard XML elements contained in a standard EJB deployment descriptor. Additionally, a few vendor-specific access control features are needed to support the mapping of security roles defined in standard deployment descriptors to principal identities managed by the operational environment.

Figure 1 EJB security architecture.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.