Harish,
How are the security credentials supposed to be passed from the handle to the
EJB server in a client application like the one below:
public class Foo {
public static void main(String [] args){
try {
Handle hndl = ... // deserialize handle from a file
Account acct = (Account) hndl.getEJBObject( );
acct.withdraw(20000);
}catch(Exception e){// do something}
}
}
If the withdraw method can only be accessed by a specific role or Principle (
it doesn't accept anonymous clients), how is the client's identity passed to
the server? Where is authentication of the client's identity performed?
After talking with Rickard about this I have learned that JAAS provides an
implicitly mechanism for performing authentication between a client and a
remote server. That makes perfect sense, but it implies that the credentials
of the client must be automatically loaded from the client's environment or
that the application in questions must set the credentials before executing any
code that uses JAAS.(The assumption is that the client was not connected to the
server prior to the serializing the handle.)
This also implies that the JAAS must be used -- or some similar container
specific mechanism -- OR that the EJB object has been deployed to accept
anonymous clients. If none of this is true, executing methods on the EJBObject
or even obtaining the EJB object reference from the handle should fail.
Thanks,
Richard
Harish Prabandham wrote:
> Hi,
>
> I do not understand the security implications of deserializing
> and serializing an java.ejb.Handle.
>
> The security information is typically sent along with the
> call. It is never associated with the remote object.
>
> The security methods getCallerPrincipal() and isCallerInRole()
> are "call" specific - not object specific. Similarly role
> based authorization checks are done based on the who called
> the bean - not based who created the bean.
>
> Harish Prabandham
>
> J2EE Reference Implementation
> Java Software Division,
> Sun Microsystems.
>
> > -----Original Message-----
> > From: A mailing list for Enterprise JavaBeans development
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Monson-Haefel
> > Sent: Thursday, September 02, 1999 9:19 AM
> > To: [EMAIL PROTECTED]
> > Subject: Security problem with javax.ejb.Handle
> >
> >
> > This issue was brought up without resolution over a year ago. I
> > had hoped that
> > it would be adequately addressed in EJB 1.1, but it hasn't. In
> > fact now it
> > seems worse, because now the security flaw is mandated not
> > implied as was the
> > case in EJB 1.0.
> >
> > According to section 8.7 of the EJB 1.1:
> > "At the minimum, a program running in one JVM must be able to obtain and
> > serialize the handle, and another program running in a different
> > JVM must be
> > able to deserialize it and re-create an object reference."
> >
> > Since the only method available on Handle is getEJBObject( ), its
> > assumed that
> > authentication is NOT used to obtain the EJBObject reference. If no
> > authentication is used no identity is presented, so authorization (access
> > control) can not be done (how can you authorize an identity that
> > has not been
> > made available). Its possible that the Handle is supposed to
> > store the identity
> > and credentials of the client that serialized it, and then use
> > that information
> > to automatically authenticate when the Handle is used, but this
> > seems like a
> > serious security flaw.
> >
> > --
> > Richard Monson-Haefel
> > Author of Enterprise JavaBeans
> > Published by O'Reilly & Associates
> >
> > ==================================================================
> > =========
> > To unsubscribe, send email to [EMAIL PROTECTED] and include
> > in the body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
> >
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
Richard Monson-Haefel
Author of Enterprise JavaBeans
Published by O'Reilly & Associates
( http://www.monson-haefel.com )
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
