Security Functions
Security Functions
The EJB container is responsible for enforcing access control on the enterprise bean method. It
consults the security policy (derived from the deployment descriptor) associated with the
enterprise bean to determine the security roles that are permitted access to the method. For
each role, the EJB container uses the security context associated with the call to determine if it
can map the caller to the role.
The container's evaluation stops with an "is authorized" outcome when the container is able to
map the caller's credential to a role. A "not authorized" outcome is reached if the container is
unable to map the caller to any of the permitted roles. A "not authorized" result causes an
exception to be thrown by the container, and propagated back to the calling JSP page.
If the call is authorized, the container dispatches control to the enterprise bean method. The
result of the bean's execution of the call is returned to the JSP, and ultimately to the user by the
web server and the web client.
Read
for more information on protecting web
applications.
Security Functions
A properly implemented security mechanism will provide the following functionality:
Prevent unauthorized access to application functions and business or personal data
Hold system users accountable for operations they perform (non-repudiation)
Protect a system from service interruptions and other breaches that affect quality of service
Web Client
Web Server
credential
JSP/servlet
Object
Session
Context
Security
Context
EJB Container
Security
Context
Credential used to
establish security
association
A
uthor
ization
EJB
Remote
call
FIGURE 285
Invoking an Enterprise Bean Business Method
Overview of Java EE Security
Chapter 28 · Introduction to Security in the Java EE Platform
769
