The J2EETM Tutorial
Home
TOC
Index
PREV TOP NEXT Search
Feedback

Propagating Security Identity

When you deploy an enterprise bean or Web component, you can specify the security identity that will be propagated (illustrated in Figure 15-1) to enterprise beans invoked from within that component.

Figure 15-1 Security Identity Propagation

You can choose one of the following propagation styles:

Configuring a Component's Propagated Security Identity

You use deploytool to select the type of security identity that is propagated from an enterprise bean or Web component.

To configure an enterprise bean or Web component to propagate the caller identity with which the component is running:

  1. Select the component.
  2. Select the Security tab.
  3. In the Security Identity pane, select the Use Caller ID radio button.

To configure a component to propagate a security identity other than that with which the component is running:

  1. Select the component.
  2. Select the Security tab.
  3. In the Security Identity pane, select the Run As Specified Role option.
  4. Use the drop-down menu to select the role with which to run.
  5. After you select the role, you can select a user from that role. To do this, select Deployment Settings.
  6. From Run As Specified User, select the user name that the client will use to invoke the enterprise bean's methods.
  7. Click OK.

Configuring Client Authentication

If an application component in an application client container accesses a protected method on a bean, use client authentication.

In deploytool, use the following procedure to configure client authentication:

  1. Select the target enterprise bean.
  2. Select the Security tab.
  3. Select Deployment Settings to display the Security Deployment Settings dialog box.
  4. Select the SSL Required checkbox to enable SSL.
  5. In the Client Authentication pane, select Certificate as the method by which the server expects the client to authenticate itself to the server.
  6. Click OK.

Trust Between Containers

When an enterprise bean is designed so that either the original caller identity or a designated identity is used to call a target bean, the target bean will receive the propagated identity only; it will not receive any authentication data.

There is no way for the target container to authenticate the propagated security identity. However, since the security identity is used in authorization checks (for example, method permissions or with the isCallerInRole() method), it is vitally important that the security identity be authentic. Since there is no authentication data available to authenticate the propagated identity, the target must trust that the calling container has propagated an authenticated security identity.

By default, the J2EE SDK server is configured to trust identities that are propagated from different containers. Therefore, there are no special steps that you need to take to set up a trust relationship.

Home
TOC
Index
PREV TOP NEXT Search
Feedback