Deepali wrote:
> I wanted to actually know more about EJB Security.
>
> I am trying to use Weblogic as tool and explore various facets of
> EJB.I want to use SQL server as database for my application.I know that
> Weblogic provides various security facilities to declare users, principals,
> ACLs in the Weblogic properties files and defining the ACLs in deployment
> descripter, the application can use the features of security.
> But, I wanted to know is it possible to use EJB and use the
> securities features by defining users table, acls table and groups table in
> database or is it possible to use the features of SQL server itself.I have
> tried to find more information regarding the same , but however failed to
> get more.
> I have tried to run the existing example in Weblogic that use RDBMS
> feature, but there are problems in executing the example.
The way security is designed to work in EJB applications is that EJB security
facilities are used to control client access to the methods of the bean and
database security facilities are used to control EJB access to the databases.
This second step is often misunderstood. It is well described in the J2EE APM
beta draft section 10.2.1. This describes "container-managed authentication",
where the container gets authority to access the database on behalf of a
"protection domain" and EJBs running in that container have automatic access to
the database. A protection domain is authenticated using a system principle
rather than a specific user principle. Hence users do not need to be given
authorisation to access the database. (Apologies to security experts, I know
I've simplified it a little)
Note that security exposures can result if ordinary business users ARE
authorised to access the database. A user who is not required by his role in the
organisation to be able to modify any field of a database at any time without
any sort of consistency checking should not be barred from doing so by mere lack
of a mechanism - it should be written into the authorisation tables. The scheme
described above achieves this.
Ian McCallion
CICS Business Unit
IBM Hursley
[EMAIL PROTECTED]
Tel: ++44-1962-818065
Fax: ++44-1962-818069
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
