Securing enterprise bean applications

 

Overview

We can protect enterprise bean methods by assigning security roles to them. Before you assign security roles, we need to know which Enterprise JavaBeans (EJB) methods need protecting and how to protect them.

 

Procedure

  1. In an assembly tool, import your EJB Java Archive (JAR) file or an application archive (EAR) file that contains one or more Web modules. For more information, see the Import EJB files article or the Import enterprise applications article.

  2. In the Project Explorer , click the EJB Projects directory and click the name of your application.

  3. Right-click the Deployment descriptor and select Open with > Deployment Descriptor Editor. If you selected an EJB .jar file, an EJB deployment descriptor editor opens. If you selected an application .ear file, an application deployment descriptor editor opens. To see online information about the editor, press F1 and click the editor name.

  4. Create security roles. We can create security roles at the application level or at the EJB module level. If you create a security role at the EJB module level, the role displays in the application level. If a security role is created at the application level, the role does not appear in all the EJB modules. We can copy and paste one or more EJB module security roles that you create at application level:

    • Create a role at an EJB module level. In an EJB deployment descriptor editor, select the Assembly tab. Under Security Roles, click Add. In the Add Security Role wizard, name and describe the security role; then click Finish.

    • Create a role at the application level. In an application deployment descriptor editor, select the Security tab. Under the list of security roles, click Add. In the Add Security Role wizard, name and describe the security role; then click Finish.

  5. Create method permissions. Method permissions map one or more methods to a set of roles. An enterprise bean has four types of methods: Home methods, Remote methods, LocalHome methods and Local methods. We can add permissions to enterprise beans on the method level. We cannot add a method permission to an enterprise bean unless you already have one or more security roles defined. For V2.0 EJB projects, there is an unchecked option that specifies that the selected methods from the selected beans do not require authorization to execute. To add a method permission to an enterprise bean:

    1. On the Assembly tab of an EJB deployment descriptor editor, under Method Permissions, click Add. The Add Method Permission wizard opens.

    2. Select a security role from the list of roles found and click Next.

    3. Select one or more enterprise beans from the list of beans found. We can click Select All or Deselect All to select or deselect all of the enterprise beans in the list. Click Next.

    4. Select the methods that you want to bind to your security role. The Method Elements page lists all methods associated with the enterprise bean(s). We can click Apply to All or Deselect All to quickly select or clear multiple methods. It selects only the * method for each bean. Creating a method permission for the exact method signature overrides the default (*) method permission setting. The * method represents all methods within the bean. There are * for each interface as well. By not selecting all of the individual methods in the tree, one can set other permissions on the remaining methods.

    5. Click Finish.

    After the method permission is created, one can see the new method permission in the tree. Expand the tree to see the bean and methods defined in the method permission.

  6. Exclude user access to methods. Users cannot access excluded methods. Any method in the enterprise beans that is not assigned to a role or is not excluded, is deselected during the application installation by the deployer.

    1. On the Assembly tab of an EJB deployment descriptor editor, under Excludes List, click Add. The Exclude List wizard opens.

    2. Select one or more enterprise beans from the list of beans found and click Next.

    3. Select one or more of the method elements for the security identity and click Finish.

  7. Map the security-role-ref and role-name to the role-link. When developing enterprise beans, one can create the security-role-ref element. The security-role-ref element contains only the role-name field. The role-name field determines if the caller is in a specified role(isCallerInRole()) and contains the name of the role that is referenced in the code. Since you create security roles during the assembly stage, the developer uses a logical rolename in the role-name field and provides enough information in the description field for the assembler to map the actual role (role-link). The security-role-ref element is located at the EJB level. Enterprise beans can have zero or more security-role-ref elements.

    1. On the Reference tab of an EJB deployment descriptor editor, under the list of references, click Add. The Add Reference wizard opens.

    2. Select Security role reference and click Next.

    3. Name the security role reference, select a security role to link the reference to, describe the security role reference, and click Finish.

    4. Map every role-name used during development to the role (role-link) using the previous steps.

  8. Specify the RunAs Identity for enterprise beans components. The RunAs Identity of the enterprise bean is used to invoke the next enterprise beans in the chain of EJB invocations. When the next enterprise beans are invoked, the RunAsIdentity passes to the next enterprise beans for performing an authorization check on the next enterprise bean. If the RunAs Identity is not specified, the client identity is propagated to the next enterprise bean. The RunAs Identity can represent each of the enterprise beans or can represent each method in the enterprise beans.

    1. On the Access tab of an EJB deployment descriptor editor, next to the Security Identity (Bean Level) field, click Add. The Add Security Identity wizard opens.

    2. Select the appropriate run as mode, describe the security identity, and click Next. Select the Use identity of caller mode to instruct the security service to not make changes to the credential settings for the principal. Select the Use identity assigned to specific role (below) mode to use a principal that has been assigned to the specified security role for running the bean methods. This association is part of the application binding in which the role is associated with the user ID and password of a user who is granted that role. If you select the Use identity assigned to specific role (below) mode , specify a role name and role description.

    3. Select one or more enterprise beans from the list of beans found and click Next. If Next is unavailable, click Finish.

    4. Optional: On the Method Elements page, select one or more of the method elements for the security identity and click Finish.

  9. Close the deployment descriptor editor and, when prompted, click Yes to save the changes.

 

Result

After securing an EJB application, the resulting .jar file contains security information in its deployment descriptor. The security information of the EJB modules is stored in the ejb-jar.xml file.

 

What to do next

After securing an EJB application using an assembly tool, one can install the EJB application using the administrative console. During the installation of a secured EJB application, follow the steps in the Deploying secured applications article to complete the task of securing the EJB application.

 

See Also


Role-based authorization
Delegations
Enterprise bean component security

 

Related Tasks


Import EJB files
Import enterprise applications
Assembling applications

 

See Also


Security: Resources for learning