Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Slides:



Advertisements
Similar presentations
J0 1 Marco Ronchetti - Basi di Dati Web e Distribuite – Laurea Specialistica in Informatica – Università di Trento.
Advertisements

Publication Module using back end interface. Institution Data Entry Add Documents. Edit/Delete Documents that are added but not yet sent to Institution.
Lesson 17: Configuring Security Policies
1 Lecture 20 George Koutsogiannakis Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
EJB Design. Server-side components Perform –complex algorithms –high volume transactions Run in –highly available environment (365 days/year) –fault tolerant.
EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung.
Java 2 Platform, Enterprise Edition (J2EE). Source: Computer, August 2000 J2EE and Other Java 2 Platform Editions.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
SEI/CBS Initiative Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
Understanding Active Directory
Java Pet Store Application. Outline Introduction Introduction Information Layer Information Layer Application Layer Application Layer Infrastructure Layer.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.
Electronic Proposal Development and Submission Module 3 Professional Profiles Research Suite Product Support m.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Chapter 10 EJB Concepts of EJB Three Components in Creating an EJB Starting/Stopping J2EE Server and Deployment Tool Installation and Configuration of.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Enterprise JavaBeans. Lesson 1: Introduction to Server-Side Component Software.
Introduction to J2EE Architecture Portions by Kunal Mehta.
Message-Driven Beans and EJB Security Lesson 4B / Slide 1 of 37 J2EE Server Components Objectives In this lesson, you will learn about: Identify features.
第十四章 J2EE 入门 Introduction What is J2EE ?
Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Source: Peter Eeles, Kelli Houston, and Wojtek Kozaczynsky, Building J2EE Applicationa with the Rational Unified Process, Addison Wesley, 2003 Prepared.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:
KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
Security Planning and Administrative Delegation Lesson 6.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Introduction to Enterprise JavaBeans Topics In Systems Architecture Barry Herbold
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Assignment of JAVA id : BSSE-F10-M-10-JAVA1 Overview of J2EE/Session 2/Slide 1 of 38.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Module 10: Implementing Administrative Templates and Audit Policy.
Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.
Introduction to EJB. What is an EJB ?  An enterprise java bean is a server-side component that encapsulates the business logic of an application. By.
DEVELOPING ENTERPRISE APPLICATIONS USING EJB
MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.
Copyright © 2002 ProsoftTraining. All rights reserved. Enterprise JavaBeans.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:
Enterprise JavaBeans. Lesson 1: Introduction to Server-Side Component Software.
11 DESIGNING AN ADMINISTRATIVE SECURITY STRUCTURE Chapter 7.
Lesson 6: Controlling Access to Local Hardware and Applications
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
EJB. Introduction Enterprise Java Beans is a specification for creating server- side scalable, transactional, multi-user secure enterprise-level applications.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Module 8: Implementing Group Policy. Overview Multimedia: Introduction to Group Policy Implementing Group Policy Objects Implementing GPOs on a Domain.
Comprehensive Continuous Improvement Plan(CCIP) Training Module 1 General System Functions.
Managing User Desktops with Group Policy
J2EE Platform Overview (Application Architecture)
AMGA Web Interface Salvatore Scifo INFN sez. Catania
Introduction to J2EE Architecture
To Join the Teleconference
Enterprise Java Bean. Overview of EJB View of EJB Conversation Roles in EJB, Types of Enterprise Beans Lifecycle of Beans Developing Applications using.
AMGA Web Interface Vincenzo Milazzo
Component-based Applications
Component Technology Bina Ramamurthy 2/25/2019 B.Ramamurthy.
Enterprise Java Beans Bina Ramamurthy 4/5/2019 B.Ramamurthy.
Module 8: Implementing Group Policy
Presentation transcript:

Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie Mellon University Delete this red box (from the title master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Enterprise JavaBeans. - page 1 EJB Security Management

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 2 Security Management Overview The enterprise bean class provider should not hard-code security policies and mechanisms into the business methods allows appropriate deployment for the operational environment of the enterprise The application assembler may define security roles for an application -semantic grouping of permissions method permissions for each security role -permission to invoke a specified group of methods

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 3 Security Management Overview - 2 Security Roles Method Permissions EJBEJB Bean Provider Application Assembler Deployer Users Groups System Admins

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 4 Bean Provider’s Responsibilities The bean provider should not implement security mechanisms or security policies in the enterprise beans’ business methods rely instead on the security mechanisms provided by the EJB Container It is possible, however, to programmatically access a Caller’s Security Context...

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 5 Programmatically Accessing a Caller’s Security Context Two methods allow the bean provider to access security information about the enterprise bean’s caller getCallerPrincipal isCallerInRole In general, security management should be enforced by the container the security API should is used infrequently

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 6 Declaring Security Roles Security roles are declared in the deployment descriptor... WombatPayroll com.wombat.PayrollBean This security role should be assigned to the employees allowed to update employees’ salaries. payroll …

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 7 Application Assembler’s Responsibilities Define security roles in the deployment descriptor Specify the methods of the remote and home interface that each security role is allowed to invoke Link declared security role references to security roles

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 8 Specifying Security Roles... Allows employees to access their own information employee Allowed to view/update payroll entries for employees payroll-department...

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 9 Method permissions employee WombatPayroll findByPrimaryKey WombatPayroll getEmployeeInfo WombatPayroll updateEmployeeInfo

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 10 Linking Security Role References to Security Roles... WombatPayroll com.wombat.PayrollBean This security role should be assigned to the employees allowed to update employees’ salaries. payroll payroll-department …

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 11 Deployer’s Responsibilities Ensures that an application is secure after it has been deployed in the operational environment Assigns principals and/or groups of principals used for managing security in the operational environment to defined security roles not specified in the EJB architecture! specific to that operational environment Can use the security view defined in the deployment descriptor merely as “hints”

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 12 EJB Container Provider’s Responsibilities The EJB container provider provides the implementation of the security infrastructure A security domain can be implemented, managed, and administered by the EJB Server e.g., the EJB Server may store X509 certificates The EJB specification does not define the scope of the security domain the scope may be defined by the boundaries of the application, EJB Server, operating system, network, or enterprise

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 13 System Administrator’s Responsibilities Typically responsible for creating a new user account adding a user to a user group removing a user from a user group removing or freezing a user account Security domain administration is beyond the scope of the EJB specification...

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 14 Proceed with Caution… Insecure Secure EJB Specification EIS EJB Server Vendor Threats

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 15 Summary The EJB architecture does not specify how an enterprise should implement its security architecture assignment of security roles to the operational environment’s security concepts is specific to the operational environment identification and authentication left to EJB Server vendor’s Security will be vendor specific for some time no plans to address problem in EJB 2.0

© 1999 by Carnegie Mellon University Version # Delete this red box (from the slide master) after creating all of your slides. Keep everything inside the “safe area” for correct display. Course or Lecture or Module Info. - page 16 References [1] Java Authentication and Authorization Service (JAAS) [2]Java Cryptography Extension (JCE)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.