Trust between Containers

<< Component's Propagated Security Identity | Enterprise Bean Security Deployment >>

Trust between Containers

In either case, you will have to map the run-as role name to a given principal defined on the
Application Server if the given roles associate to more than one user principal. Mapping roles to
principals is described in

"Mapping Security Roles to Application Server Groups" on page 811

Trust between Containers

When an enterprise bean is designed so that either the original caller identity or a designated
identity is used to call a target bean, the target bean will receive the propagated identity only; it
will not receive any authentication data.

There is no way for the target container to authenticate the propagated security identity.
However, because the security identity is used in authorization checks (for example, method
permissions or with the isCallerInRole() method), it is vitally important that the security
identity be authentic. Because there is no authentication data available to authenticate the
propagated identity, the target must trust that the calling container has propagated an
authenticated security identity.

By default, the Application Server is configured to trust identities that are propagated from
different containers. Therefore, there are no special steps that you need to take to set up a trust
relationship.

Using Enterprise Bean Security Annotations

Annotations are used in code to relay information to the deployer about security and other
aspects of the application. Specifying this information in annotations or in the deployment
descriptor helps the deployer set up the appropriate security policy for the enterprise bean
application.

Any values explicitly specified in the deployment descriptor override any values specified in
annotations. If a value for a method has not been specified in the deployment descriptor, and a
value has been specified for that method by means of the use of annotations, the value specified
in annotations will apply. The granularity of overriding is on the per-method basis.

The following is a listing of annotations that address security, can be used in an enterprise bean,
and are discussed in this tutorial:

The @DeclareRoles annotation declares each security role referenced in the code. Use of
this annotation is discussed in

"Declaring Security Roles Using Annotations" on page 802

The @RolesAllowed, @PermitAll, and @DenyAll annotations are used to specify method
permissions. Use of these annotations is discussed in

"Specifying Method Permissions

Using Annotations" on page 807

The @RunAs metadata annotation is used to configure a component's propagated security
identity. Use of this annotation is discussed in

"Configuring a Component's Propagated

Security Identity" on page 814

Securing Enterprise Beans

Chapter 29 · Securing Java EE Applications

815