Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

When Role Models Have Flaws: Static Validation of Enterprise Security Policies Marco Pistoia IBM T. J. Watson Research Center Hawthorne, New York
® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.
1 Lecture 20 George Koutsogiannakis Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
J2EE Java2 Enterprise Edition by Damian Borth. Contents Introduction Architectures styles Components Scenarios Roles Processing a HTTP request.
EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung.
Java 2 Platform, Enterprise Edition (J2EE). Source: Computer, August 2000 J2EE and Other Java 2 Platform Editions.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Chapter 4 Relational Databases Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 4-1.
J2EE Kenneth M. Anderson CSCI Web Technologies October 3, 2001.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
Introduction to EJB INFORMATICS ENGINEERING – UNIVERSITY OF BRAWIJAYA Eriq Muhammad Adams J
Chapter 4 Relational Databases Copyright © 2012 Pearson Education 4-1.
Understanding Active Directory
Emmanuel Cecchet et al.  Performance Scalability of J2EE application servers.  Test effect of: ◦ Application Implementation Methods ◦ Container Design.
Java Pet Store Application. Outline Introduction Introduction Information Layer Information Layer Application Layer Application Layer Infrastructure Layer.
Chapter 10 EJB Concepts of EJB Three Components in Creating an EJB Starting/Stopping J2EE Server and Deployment Tool Installation and Configuration of.
1 J2EE Components. 2 Application Servers relieve the programming burden for business distributed components. They provide support for system level services.
1 Security Most Java EE applications need to provide identity to users who access them and security for that access. Applications may want to prevent hostile.
© D. Wong  Indexes  JDBC  JDBC in J2EE (Java 2 Enterprise Edition)
Using JavaBeans and Custom Tags in JSP Lesson 3B / Slide 1 of 37 J2EE Web Components Pre-assessment Questions 1.The _____________ attribute of a JSP page.
Enterprise JavaBeans. Lesson 1: Introduction to Server-Side Component Software.
Enterprise JavaBeans. What is EJB? l An EJB is a specialized, non-visual JavaBean that runs on a server. l EJB technology supports application development.
Message-Driven Beans and EJB Security Lesson 4B / Slide 1 of 37 J2EE Server Components Objectives In this lesson, you will learn about: Identify features.
JAAS Qingyang Liu and Lingbo Wang CSCI Web Security April 2, 2003.
第十四章 J2EE 入门 Introduction What is J2EE ?
C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.
Source: Peter Eeles, Kelli Houston, and Wojtek Kozaczynsky, Building J2EE Applicationa with the Rational Unified Process, Addison Wesley, 2003 Prepared.
Ch 2 – Application Assembly and Deployment COSC 617 Jeff Schmitt September 14, 2006.
Enterprise JavaBeans Understanding EJB Components Version 0.1 Kamal Wickramanayake
PART II BoD server prototype Implementation & technical details MB-NG UCL 20/21 - Feb Bas van Oudenaarde Advanced Internet Research Group.
Module 5: Implementing Group Policy
A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.
ASP.Net Role-based Security Chapter 10 (Freeman and Jones) CS795/895.
Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:
Introduction to Enterprise JavaBeans Topics In Systems Architecture Barry Herbold
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
Network management system
Copyright 2007 SpringSource. Copying, publishing or distributing without express written permission is prohibited. Introduction to Data Access with Spring.
Introduction to Active Directory
DEVELOPING ENTERPRISE APPLICATIONS USING EJB
Introduction to EJB. What is an EJB ?  An enterprise java bean is a server-side component that encapsulates the business logic of an application. By.
Java Programming: Advanced Topics 1 Enterprise JavaBeans Chapter 14.
Copyright © 2002 ProsoftTraining. All rights reserved. Enterprise JavaBeans.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:
Enterprise JavaBeans. Lesson 1: Introduction to Server-Side Component Software.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
14 Copyright © 2004, Oracle. All rights reserved. Achieving State Management in the Business Tier.
17 Copyright © 2004, Oracle. All rights reserved. Integrating J2EE Components.
Enterprise Java Beans. Contents  Understanding EJBs  Practice Section.
Entity Bean Chuyên đề Lập trình Java & J2EE Chương 15
Enterprise Java Bean. Overview of EJB View of EJB Conversation Roles in EJB, Types of Enterprise Beans Lifecycle of Beans Developing Applications using.
J2EE Application Development
Building Systems That Flexibly Control Downloaded Executable Content
Data Model.
Knowledge Byte In this section, you will learn about:
Component-based Applications
Component Technology Bina Ramamurthy 2/25/2019 B.Ramamurthy.
Developing and testing enterprise Java applications
Enterprise Java Beans.
Chapter 8: Security Policy
Module 8: Implementing Group Policy
Presentation transcript:

creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated: 02-Sept-2003 EJB-Tier Security

creating competitive advantage Copyright © 2003 creating competitive advantage Contents  Overview  EJB Security Terms  Relationship between EJB Security Entities  Declarative Security  Programmatic Security  Responsibilities of  Bean Developer  Application Assembler  Deployer

creating competitive advantage Copyright © 2003 creating competitive advantage Overview  In general, users of a system are required to be authorized to perform various operations  The process of authorization depends on proper identification of users  The process of identification depends on proper authentication  With EJBs, you can obtain security features in two forms:  Declarative Security - No hard coding, but specify requirements in the DD  Programmatic Security - A combination of coding as well as specification in the DD

creating competitive advantage Copyright © 2003 creating competitive advantage EJB Security Terms  User  The end user or client making the call. Could be a system name, an IP address or some other form of identification  Principal  A user identity that has been sufficiently authenticated based on the requirements of the target runtime environment  Role  A logical grouping encapsulating the representation of a set of needs.  Security Domain  Defined in the target environment generally as the namespace of the set of users, principals, roles/memberships and mappings to DD roles  Security View  The set of roles as defined by the application assembler and placed in the DD.

creating competitive advantage Copyright © 2003 creating competitive advantage Relationship Between EJB Security Entities Dan (IP Add) John (cert) Dan (IP Add) John (cert) Chief Accnt John Mathew Payroll Updater Empl Reporter Payroll Chief Management UsersPrincipalsRoles Role References DD

creating competitive advantage Copyright © 2003 creating competitive advantage Declarative Security Example  Declare method permissions (associate methods with roles): 1.Select the enterprise bean. 2.Select the Security tab. 3.In the Method Permissions table, select “Sel Roles” in the Availability column. 4.Then select a role's checkbox if that role should be allowed to invoke a method.  Map roles to J2EE users and groups: 1.Select the application 2.Select the Security tab 3.Associate roles with J2EE users/groups

creating competitive advantage Copyright © 2003 creating competitive advantage Programmatic Security  Using getCallerPrincipal() method  Allows bean to verify principal  Not intended for security enforcement  Does not utilize roles Principal p = ctx.getCallerPrincipal(); if(p.getName().equalsIgnoreCase(“Fred Smith”)) // tailor the method for Fred Smith else // unrecognized name throw new MyApplicationException(p.getName() + “ invalid”); public String getUser() { return context.getCallerPrincipal().getName(); }

creating competitive advantage Copyright © 2003 creating competitive advantage Programmatic Security  Using isCallerInRole() method  Somewhat similar to getCallerPrincipal()  Allows recognition of roles without bean trying to identify principal  Role can be defined in the DD as a reference  Would introduce portability problems! if(ctx.isCallerInRole(“payroll-admin”)) // then allow editing the payroll info else // not an administrator // allow viewing of data only

creating competitive advantage Copyright © 2003 creating competitive advantage Responsibilities of Bean Developer  Normally the bean provider does not stipulate any security requirements  If the been provider is making a reference to a role name in the bean, a bean reference must be declared. Employees... Needs access to update payroll info payroll-admin...

creating competitive advantage Copyright © 2003 creating competitive advantage Responsibilities of Application Assembler  Can define security information, or defer to deployer  Assembler defines:  Roles  Method permissions by role  Role reference resolution to actual role names  Definition of Roles: Allow access to employee payroll Payroll-Chief

creating competitive advantage Copyright © 2003 creating competitive advantage Responsibilities of Application Assembler  Definition of Method Permissions: Payroll-Chief Employees getSalary Employees setSalary...

creating competitive advantage Copyright © 2003 creating competitive advantage Responsibilities of Application Assembler  Definition of Role Reference Resolution: Employees... Needs access to update payroll info payroll-admin Payroll-Chief...

creating competitive advantage Copyright © 2003 creating competitive advantage Responsibilities of Deployer  Declare principals and roles in the security domain  Map DD roles to roles defined in the security domain  Configure principal delegation for inter-component calls  Create resource access policies and mappings

creating competitive advantage Copyright © 2003 Questions & Feedback?