Presentation is loading. Please wait.

Presentation is loading. Please wait.

EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung."— Presentation transcript:

1 EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung

2 Contents –Introduction –Traditional Client/Server Architecture –Multi-tier Architecture –EJB Architecture & its Roles –EJB Security model –Method Permissions –Programmatic Security –Conclusions –References

3 Enterprise Java Beans Introduction Enterprise Java Beans (EJB) is a standard server side component model The EJB architecture logically extends the Java Beans component model to support server components An EJB is a non-visual Java Bean that runs on a server

4 An EJB is –A collection of Java classes –An XML file –Bundled into a single unit –The Java classes must follow certain rules –The Java classes must provide callback methods Introduction(cont..)

5 In a traditional client/server application, the client application contains: – presentation logic(windows and control manipulation) –business logic(algorithms and business rules) –data manipulation logic(database connections and SQL Queries) Traditional Client/Server Architecture

6 Multi-tier Architecture Client applications contain only presentation logic – a thin client Business logic and data access logic are partitioned into separate components and deployed onto one or more servers

7

8 EJB Architecture is gaining broad acceptance due to it’s high value benefits that address directly the needs of today's diverse server development community like –Scalability –Simplicity –Ease of development –Security –Interoperability –Component based computing –Application Containers EJB Architecture

9 EJB Architecture Roles Various EJB Architecture roles handle EJB development and deployment. They are:- –Bean Provider –Application Assembler –Deployer –EJB Service Provider –EJB Container Provider –System Administrator

10 Bean Provider The Bean Provider –Writes the individual Enterprise Java Beans. –Can be a Business entity or system encapsulated as entity or session beans. –Creates deployment descriptor.

11 Application Assembler An Application Assembler –Creates a full application from individual beans –May also create JSP’s and servlets that utilize those beans. –Edits the Deployment Descriptors to fit the application.

12 Deployer A Deployer –Deploys the application into a running EJB Server. –Sets up interaction between architecture as envisioned by the assembler and actual environment in which it runs.

13 EJB Service Provider & EJB Container Provider The EJB Service Provider & EJB Container Provider Work together to write the EJB Server. –Figure displaying the EJB modelFigure displaying the EJB model

14 System Administrator The System Administrator –Takes care of the computer systems that run the EJB Server and related services. –Administrates Operating systems and network related to the server.

15 EJB Security model EJB 1.1 security model is –Role based, and helps to restrict access to beans and their methods based on a client’s role. –It provides an easy way to control who can call which beans and methods and automatically establishes the identity of the caller. –Example of defining roles is an online banking application pg 239,240

16 Examples of Security Goals –A customer can access only her own account –A trader can only execute transactions that have a value less than one million Swiss francs –A tax inspector is prohibited from modifying her own tax liability data –An underage subscriber does not have access to an X- rated online movie

17 Method Permissions Access to the beans and their methods can be made limited based on their roles. For this each role must be listed in the deployment descriptor. Method permissions are defined using method permission elements. Each method permission element contains a role- name element and one or more EJBs and their methods,as defined by ejb-name and method-name elements.Sample of the method pg 240-241.

18 Programmatic Security Normally Application Assembler and the Deployer configure security in a EJB server. Programmatically sometimes bean provider has to access some security information,for which EJB provides 2 methods –Principal getCallerPrincipal() –Boolean isCallerInRole(String roleName)

19 First Method getCallerPrincipal() –It returns a Principal object corresponding to the identity of the caller. –It allows the use of the identity of the caller inside the code of the bean. –Example :-If we want a customer to view their own balance but nobody else’s.We could do that by calling the principal of the caller and use that to fetch their account. – pg 242.

20 Second Method isCallerInRole() –Boolean function returning true if the caller is in the role or returns false –Used usually when simple permissions are not enough. –Example:- if we have a situation where we need to give permission to bankers to only add up to 1000$ to an account at a time and admin be given all rights.This can be done as Pg 243

21 Security-role-ref Element The Security-role-ref element –It alerts the Application assembler and the Deployer if a particular role has dependency in a bean. – This security role will have no limit on the size of transaction admin –Pg 243

22 Conclusions EJB Security focus on minimal programmatic and declarative access control mechanisms. This mechanism provides role-based access control for EJB. Access restriction can be successfully obtained using EJB Security model.

23 References Garms, Jess and Daniel Somerfield. Professional Java Security. Wrox. 2001. (ISBN: 1861004257)Professional Java Security. Article on EJB Security by Paul Perrone, http://www.informit.com http://www.informit.com www.ibm.com/research/security www.javaworld.com/javaworld/jw-02-2002/ jw-0215- ejbsecurity.html www.java.sun.com/ejbsecurity

Download ppt "EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung."

Similar presentations

3 Copyright © 2005, Oracle. All rights reserved. Designing J2EE Applications.

3 Copyright © 2005, Oracle. All rights reserved. Designing J2EE Applications.
Apache Struts Technology

Apache Struts Technology
Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.

Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.
Technical Architectures

Technical Architectures
Sapana Mehta (CS-6V81) Overview Of J2EE & JBoss Sapana Mehta.

Sapana Mehta (CS-6V81) Overview Of J2EE & JBoss Sapana Mehta.
EJB Design. Server-side components Perform –complex algorithms –high volume transactions Run in –highly available environment (365 days/year) –fault tolerant.

EJB Design. Server-side components Perform –complex algorithms –high volume transactions Run in –highly available environment (365 days/year) –fault tolerant.
Application Server Lecture Paulo Barroso Kris Carver Todd Kitterman Eric Silva.

Application Server Lecture Paulo Barroso Kris Carver Todd Kitterman Eric Silva.
Copyright W. Howden1 Lecture 19: Intro to O/O Components.

Copyright W. Howden1 Lecture 19: Intro to O/O Components.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
Layers & Tiers Umair Javed Lec - 41.

Layers & Tiers Umair Javed Lec - 41.
1 Build a Web Application on J2EE. 2 J2EE Scenario Client – Web Server – EIS Resources Client – Web Server – EIS Resources Client – Application Server.

1 Build a Web Application on J2EE. 2 J2EE Scenario Client – Web Server – EIS Resources Client – Web Server – EIS Resources Client – Application Server.
J2EE Java2 Enterprise Edition by Damian Borth. Contents Introduction Architectures styles Components Scenarios Roles Processing a HTTP request.

J2EE Java2 Enterprise Edition by Damian Borth. Contents Introduction Architectures styles Components Scenarios Roles Processing a HTTP request.
Interpret Application Specifications

Interpret Application Specifications
Component Based Systems Analysis Introduction. Why Components? t Development alternatives: –In-house software –Standard packages –Components 60% of the.

Component Based Systems Analysis Introduction. Why Components? t Development alternatives: –In-house software –Standard packages –Components 60% of the.
J2EE Java 2 Enterprise Edition. Relevant Topics in The Java Tutorial Topic Web Page JDBC orial/jdbc

J2EE Java 2 Enterprise Edition. Relevant Topics in The Java Tutorial Topic Web Page JDBC orial/jdbc
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,

J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
J2EE Kenneth M. Anderson CSCI 7818 - Web Technologies October 3, 2001.

J2EE Kenneth M. Anderson CSCI Web Technologies October 3, 2001.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
Introduction to EJB INFORMATICS ENGINEERING – UNIVERSITY OF BRAWIJAYA Eriq Muhammad Adams J

Introduction to EJB INFORMATICS ENGINEERING – UNIVERSITY OF BRAWIJAYA Eriq Muhammad Adams J
Apache Struts Technology A MVC Framework for Java Web Applications.

Apache Struts Technology A MVC Framework for Java Web Applications.

Similar presentations

Ads by Google