background image

Configuring IOR Security

<< Enterprise Bean Security Deployment | CSIv2 authentication service >>
<< Enterprise Bean Security Deployment | CSIv2 authentication service >>

Configuring IOR Security

Configuring IOR Security
The EJB interoperability protocol is based on Internet Inter-ORB Protocol (IIOP/GIOP 1.2)
and the Common Secure Interoperability version 2 (CSIv2) CORBA Secure Interoperability
specification.
Enterprise beans that are deployed in one vendor's server product are often accessed from Java
EE client components that are deployed in another vendor's product. CSIv2, a
CORBA/IIOP-based standard interoperability protocol, addresses this situation by providing
authentication, protection of integrity and confidentiality, and principal propagation for
invocations on enterprise beans, where the invocations take place over an enterprise's intranet.
CSIv2 configuration settings are specified in the Interoperable Object Reference (IOR) of the
target enterprise bean. IOR configurations are defined in Chapter 24 of the CORBA/IIOP
specification, Secure Interoperability. This chapter can be downloaded from
http://www.omg.org/cgi-bin/doc?formal/02-06-60
.
The EJB interoperability protocol is defined in Chapter 14, Support for Distribution and
Interoperability, of the EJB specification, which can be downloaded from
http://jcp.org/en/jsr/detail?id=220
.
Based on application requirements, IORs are configured in vendor-specific XML files, such as
sun-ejb-jar.xml
, instead of in standard application deployment descriptor files, such as
ejb-jar.xml
.
For a Java EE application, IOR configurations are specified in Sun-specific xml files, for
example, sun-ejb-jar_2_1-1.dtd. The ior-security-config element describes the security
configuration information for the IOR. A description of some of the major subelements is
provided below.
transport-config
This is the root element for security between the endpoints. It contains the following
elements:
integrity
: This element specifies whether the target supports integrity-protected
messages for transport. The values are NONE, SUPPORTED, or REQUIRED.
confidentiality
: This element specifies whether the target supports privacy-protected
messages (SSL) for transport. The values are NONE, SUPPORTED, or REQUIRED.
establish-trust-in-target
: This element specifies whether or not the target
component is capable of authenticating to a client for transport. It is used for mutual
authentication (to validate the server's identity). The values are NONE, SUPPORTED, or
REQUIRED
.
establish-trust-in-client
: This element specifies whether or not the target
component is capable of authenticating a client for transport (target asks the client to
authenticate itself). The values are NONE, SUPPORTED, or REQUIRED.
as-context
Securing Enterprise Beans
Chapter 29 · Securing Java EE Applications
817