The first article in this two-part tutorial discussed how to secure web components when using the JAAS framwork. Since J2EE components are divided into web components and business components, the next logical step is to learn how to secure business components. That is the topic of this article.
Last time we discussed securing web components, for example JSPs and servlets using the JAAS framework. The next natural step is securing business components. But before moving into this realm of securing J2EE applications, let's recapitulate. The following were the steps required to secure web components:
Implement the LoginModule.
Write the CallBackHandler.
Providing custom implementations for Principal and Action(this is optional).
Configure the JAAS policy file.
Configure the J2EE Application server.
Though the complete procedure was traced step-by-step, something was left out. The interaction between the JAAS framework and the J2EE containers needs to be understood. This is more essential in the case of business components as a part of the declarative approach comes into picture. So first I will discuss the interaction in detail, and then move on to the implementation of JAAS in securing EJB.