Deploying Secure Enterprise Beans
Deploying Secure Enterprise Beans
</transport-config>
<as-context>
<auth-method>USERNAME_PASSWORD</auth-method>
<realm>default</realm>
<required>true</required>
</as-context>
<sas-context>
<caller-propagation>NONE</caller-propagation>
</sas-context>
</ior-security-config>
<webservice-endpoint>
<port-component-name>HelloIF</port-component-name>
<endpoint-address-uri>
service/HelloWorld
</endpoint-address-uri>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
Deploying Secure Enterprise Beans
The deployer is responsible for ensuring that an assembled application is secure after it has been
deployed in the target operational environment. If a security view (security annotations and/or
a deployment descriptor) has been provided to the deployer, the security view is mapped to the
mechanisms and policies used by the security domain in the target operational environment,
which in this case is the Application Server. If no security view is provided, the deployer must
set up the appropriate security policy for the enterprise bean application.
Deployment information is specific to a web or application server. Please read the Sun Java
System Application Server 9.1 Application Deployment Guide for more information on
deploying enterprise beans.
Accepting Unauthenticated Users
Web applications accept unauthenticated web clients and allow these clients to make calls to the
EJB container. The EJB specification requires a security credential for accessing EJB methods.
Typically, the credential will be that of a generic unauthenticated user. The way you specify this
credential is implementation-specific.
Securing Enterprise Beans
Chapter 29 · Securing Java EE Applications
819
