Home arrow Java arrow Page 2 - JAAS, Securing EJB

JAAS, Securing EJB

The first article in this two-part tutorial discussed how to secure web components when using the JAAS framwork. Since J2EE components are divided into web components and business components, the next logical step is to learn how to secure business components. That is the topic of this article.

Author Info:
By: A.P.Rajshekhar
Rating: 5 stars5 stars5 stars5 stars5 stars / 14
August 24, 2005
  1. · JAAS, Securing EJB
  2. · JAAS and J2EE Container Interaction
  3. · JAAS and EJB- Implementing JAAS for EJB
  4. · Authenticating the user within the EJB

print this article

JAAS, Securing EJB - JAAS and J2EE Container Interaction
(Page 2 of 4 )

The best way to understand the interaction between the two systems is to examine the activation and the sequence of messages being passed between the two interacting systems. A sequence diagram is the easiest way to represent this interaction. Following is the sequence representing the communication between JAAS and the container.

Overview Image. The images below detail this figure and are broken into four parts.


The different steps followed during the communication are as follows:

  1. First there is a browser request for an action to be performed. Here the action is “add bug.”
  2. The root container invokes the doFilter method of “authFilter” servlet-filter. Here the root container means the application server itself. An application server such as Bea Weblogic has both a servlet container and an EJB container. The servlet filter authFilter is a fictitious servlet I am using to explain the steps.
  3. Next, the getAttribute method of HttpSession object is invoked to extract the gathered user information.
  4. Once the user information is extracted, it is passed to the object of Subject. All of this is performed by the container by calling the corresponding methods and objects.
  5. The filter-servlet does one more task. It creates a new instance of userAction which extends PrivilagedAction.
  6. Then the doAsPrivilaged method is invoked on the Subject which, in turn, executes the run method of userAction.
  7. This invokes the doFilter of filterChain. The doFilter passes the request to the editBug.jsp by invoking its service method. When service is invoked, since the JSP is under a realm, the request is first passed to the checkPermission method of accessController.
  8. The next step involves the getAtrribute method of HttpSession being called to get the user information. And this is then used to get the corresponding Principals of the user. This evokes the CallbackHandler instance to authenticate the user and check his/her privileges. The calling of CallbackHandler and the checking of privileges are done recursively for each access request. This process is not shown here because the call to getPrincipals itself starts the process.
  9. Once authentication is done, the response is sent to the user.   

In essence, JAAS sits at the boundary of the application, authenticates and authorizes each request for a secured page, and activates the JAAS modules. That is how JAAS works with web components and pages.

Now I will discuss how to make use of JAAS with EJB. EJB is a business component. All the business processing logic goes into an EJB. The logic can be data oriented (Entity Beans) or process oriented (Session Beans). So securing EJB is a must. To show how to use JAAS in securing an EJB, I will be using Session Beans and the façade pattern.

blog comments powered by Disqus

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials