EJB container

<< Propagating Security Identity | Component's Propagated Security Identity >>

EJB container

In this illustration, an application client is making a call to an enterprise bean method in one
EJB container. This enterprise bean method, in turn, makes a call to an enterprise bean method
in another container. The security identity during the first call is the identity of the caller. The
security identity during the second call can be any of the following options:

By default, the identity of the caller of the intermediate component is propagated to the
target enterprise bean. This technique is used when the target container trusts the
intermediate container.

A specific identity is propagated to the target enterprise bean. This technique is used when
the target container expects access using a specific identity.

To propagate an identity to the target enterprise bean, configure a run-as identity for the
bean as discussed in

"Configuring a Component's Propagated Security Identity" on

page 814

Establishing a run-as identity for an enterprise bean does not affect the identities of its
callers, which are the identities tested for permission to access the methods of the enterprise
bean. The run-as identity establishes the identity that the enterprise bean will use when it
makes calls.

The run-as identity applies to the enterprise bean as a whole, including all the methods of
the enterprise bean's business interface, home interface, component interface, and web
service endpoint interfaces, the message listener methods of a message-driven bean, the
time-out callback method of an enterprise bean, and all internal methods of the bean that
might be called in turn.

Securing Enterprise Beans

Chapter 29 · Securing Java EE Applications

813