JSR-000058 Java TM 2 Platform, Enterprise Edition 1.3 Specification

More documents

Recommendations

Info

3.3.8 Authorization Model The J2EE authorization model is based on the concept of security roles. A security role is a logical grouping of users that is defined by an Application Component Provider or Assembler. It is then mapped by a Deployer to security identities (e.g., principals, groups, etc.) in the operational environment. A security role can be used either with declarative security or with programmatic security. Declarative authorization can be used to control access to an enterprise bean method and is specified in the deployment descriptor. An enterprise bean method can be associated with a method-permission element in the deployment descriptor. The method-permission element contains a list of methods that can be accessed by a given security role. If the calling principal is in one of the security roles allowed access to a method, the principal is allowed to execute the method. Conversely, if the calling principal is in none of the roles, the caller is not allowed to execute the method. Access to web resources can be protected in a similar manner. A security role can be used in the EJBContext method isCallerInRole and the HttpServletRequest method isUserInRole. Each method returns true if the calling principal is in the specified security role. 3.3.9 Role Mapping Enforcement of either programmatic or declarative security depends upon determining if the principal associated with an incoming request of an enterprise bean or web resource is in a given security role or not. A container makes this determination based on the security attributes of the calling principal. For example, 1. A Deployer could have mapped a security role to a user group in the operational environment. In this case, the user group to which the calling principal belongs is retrieved from its security attributes. If the principal’s user group matches the user group in the operational environment that the security role has been mapped to, the principal is in the security role. 2. A Deployer could have mapped a security role to a principal name in a security policy domain. In this case, the principal name of the calling principal is retrieved from its security attributes. If this principal is the same as the principal name to which the security role was mapped, the calling principal is in the security role. 3-10 Java 2 Platform Enterprise Edition, v1.3 Proposed Final Draft (Sun Microsystems, Inc.)
The source of security attributes may vary across implementations of the J2EE platform. Security attributes could have been transmitted in the calling principal’s credential or in the security context. If security attributes are not transmitted, they may be retrieved from a trusted third party such as a directory service or security service. 3.3.10 HTTP Login Gateways Secure interoperability between enterprise beans in different security policy domains is not addressed in this specification. A future version will specify an interoperability protocol (based on industry standards) that will allow EJB containers in different domains to interoperate securely. To gain access to another J2EE product that may be incompatible (i.e., in terms of communications protocols, security technology, or policy domain), a component may choose to log in to a foreign server via HTTP. HTTP over SSL can be used to provide secure, interoperable communication between J2EE products from different providers. An application component can be configured to use SSL mutual authentication when accessing a remote resource using HTTP. Applications using HTTP in this way may want to exchange data using XML or some other structured format, rather than HTML. We call this use of HTTP with SSL mutual authentication to access a remote service an HTTP Login Gateway. Requirements in this area are specified in Section 3.4.1, “Web Clients.” 3.3.11 User Authentication User authentication is the process by which a user proves his or her identity to the system. This authenticated identity is then used to perform authorization decisions for accessing J2EE application components. An end user can authenticate using either of the two supported client types: ■ Web client ■ Application client 3.3.11.1 Web Client A web client can authenticate a user to a web server using one of the following mechanisms: ■ HTTP Basic Authentication Chapter 3 Security 3-11
Page 1 and 2: Java 2 Platform Enterprise Edition
Page 3 and 4: RESTRICTED RIGHTS LEGEND. If this S
Page 5 and 6: Contents 1. Introduction 1-1 Acknow
Page 7 and 8: 3.5 Authorization Requirements 3-19
Page 9 and 10: 5.6.3 J2EE Product Provider’s Res
Page 11 and 12: 11.2 JNLP (Java Web Start) 11-2 11.
Page 13 and 14: CHAPTER 1 Introduction Enterprises
Page 15 and 16: CHAPTER 2 Platform Overview This ch
Page 17 and 18: Underlying the J2EE containers is t
Page 19 and 20: may use JavaIDL to act as clients o
Page 21 and 22: 2.2 Product Requirements This speci
Page 23 and 24: A J2EE Product Provider must provid
Page 25 and 26: 2.5 Platform Contracts 2.5.1 J2EE A
Page 27 and 28: CHAPTER 3 Security This chapter des
Page 29 and 30: Step 2: Initial Authentication The
Page 31 and 32: “not authorized” outcome is rea
Page 33 and 34: 3.3.3 Terminology This section intr
Page 35: These methods allow components to m
Page 39 and 40: Form Based Authentication The look
Page 41 and 42: 3.4 User Authentication Requirement
Page 43 and 44: ■ Allow the deployer or system ad
Page 45 and 46: The support for principal delegatio
Page 47 and 48: While most J2EE products will allow
Page 49 and 50: CHAPTER 4 Transaction Management Th
Page 51 and 52: 4.2 Requirements This section defin
Page 53 and 54: 4.2.2 Enterprise JavaBeans Componen
Page 55 and 56: JMS providers use the javax.transac
Page 57 and 58: J2EE application components may use
Page 59 and 60: CHAPTER 5 Naming This chapter descr
Page 61 and 62: 3. The Deployer uses the tools prov
Page 63 and 64: 5.2.1.2 Declaration of environment
Page 65 and 66: ■ Provide a deployment tool that
Page 67 and 68: 5.3.1.2 Declaration of EJB referenc
Page 69 and 70: This is a reference to the entity b
Page 71 and 72: special entries in the application
Page 73 and 74: 5.4.1.2 Declaration of resource man
Page 75 and 76: ■ Bind the resource manager conne
Page 77 and 78: 5.5.1.1 Resource environment refere
Page 79 and 80: ■ The Deployer must ensure that a
Page 81 and 82: 5.6.4 System Administrator’s Resp
Page 83 and 84: CHAPTER 6 Application Programming I
Page 85 and 86: 6.2 Java 2 Platform, Standard Editi
Page 87 and 88:
Note that an operating system that
Page 89 and 90:
6.2.2.3 JDBC API The JDBC API allow
Page 91 and 92:
■ setBinaryStream(int parameterIn
Page 93 and 94:
6.2.2.5 RMI-JRMP 6.2.2.6 RMI-IIOP I
Page 95 and 96:
6.2.2.7 JNDI A J2EE product must ma
Page 97 and 98:
enterprise beans. All EJB container
Page 99 and 100:
typically not possible to create th
Page 101 and 102:
The JavaMail API uses the JavaBeans
Page 103 and 104:
6.12 J2EE Connector Architecture 1.
Page 105 and 106:
CHAPTER 7 Interoperability This cha
Page 107 and 108:
■ HTTP 1.0—This is the core pro
Page 109 and 110:
■ Class file format—The class f
Page 111 and 112:
CHAPTER 8 Application Assembly and
Page 113 and 114:
8.1 Application Development Life Cy
Page 115 and 116:
8.1.3 Application Assembly A J2EE a
Page 117 and 118:
. Synchronize security role-names a
Page 119 and 120:
8.3.1 Deploying a Stand-Alone J2EE
Page 121 and 122:
8.4 J2EE:application XML DTD This s
Page 123 and 124:
Chapter 8 Application Assem
Page 125 and 126:
Chapter 8 Application Asse
Page 127 and 128:
CHAPTER 9 Application Clients This
Page 129 and 130:
9.3 Transactions Application client
Page 131 and 132:
or the DOCTYPE declaration from a p
Page 133 and 134:
--> Chapter 9 Application Cli
Page 135 and 136:
The env-entry element contains the
Page 137 and 138:
com.wombat.empl.EmployeeService -->
Page 139 and 140:
The resource-env-ref-type element s
Page 141 and 142:
CHAPTER 10 Service Provider Interfa
Page 143 and 144:
CHAPTER 11 Future Directions This v
Page 145 and 146:
11.4 JDBC RowSets RowSets provide a
Page 147 and 148:
APPENDIX A Previous Version DTDs Th
Page 149 and 150:

Page 151 and 152:
Chapter A Previo
Page 153 and 154:
Chapter A Previous Version D
Page 155 and 156:
Chapter A Previous Version DTD
Page 157 and 158:
Chapter A Previous Version DTD
Page 159 and 160:
Chapter A Previous
Page 161 and 162:
APPENDIX A Revision History A.1 Cha
Page 163 and 164:
■ Clarified roles of JRMP and RMI
Page 165 and 166:
A.5 Changes in Proposed Final Draft
Page 167 and 168:
APPENDIX B Related Documents This s
Page 169 and 170:
The SSL Protocol, Version 3.0. Avai
show all

JSR-000058 Java TM 2 Platform, Enterprise Edition 1.3 Specification

Create successful ePaper yourself

Delete template?

Save as template?