The first article in this two-part tutorial discussed how to secure web components when using the JAAS framwork. Since J2EE components are divided into web components and business components, the next logical step is to learn how to secure business components. That is the topic of this article.
JAAS, Securing EJB - JAAS and J2EE Container Interaction (Page 2 of 4 )
The best way to understand the interaction between the two systems is to examine the activation and the sequence of messages being passed between the two interacting systems. A sequence diagram is the easiest way to represent this interaction. Following is the sequence representing the communication between JAAS and the container.
Overview Image. The images below detail this figure and are broken into four parts.
The different steps followed during the communication are as follows:
First there is a browser request for an action to be performed. Here the action is “add bug.”
The root container invokes the doFilter method of “authFilter” servlet-filter. Here the root container means the application server itself. An application server such as Bea Weblogic has both a servlet container and an EJB container. The servlet filter authFilter is a fictitious servlet I am using to explain the steps.
Next, the getAttribute method of HttpSession object is invoked to extract the gathered user information.
Once the user information is extracted, it is passed to the object of Subject. All of this is performed by the container by calling the corresponding methods and objects.
The filter-servlet does one more task. It creates a new instance of userAction which extends PrivilagedAction.
Then the doAsPrivilaged method is invoked on the Subject which, in turn, executes the run method of userAction.
This invokes the doFilter of filterChain. The doFilter passes the request to the editBug.jsp by invoking its service method. When service is invoked, since the JSP is under a realm, the request is first passed to the checkPermission method of accessController.
The next step involves the getAtrribute method of HttpSession being called to get the user information. And this is then used to get the corresponding Principals of the user. This evokes the CallbackHandler instance to authenticate the user and check his/her privileges. The calling of CallbackHandler and the checking of privileges are done recursively for each access request. This process is not shown here because the call to getPrincipals itself starts the process.
Once authentication is done, the response is sent to the user.
In essence, JAAS sits at the boundary of the application, authenticates and authorizes each request for a secured page, and activates the JAAS modules. That is how JAAS works with web components and pages.
Now I will discuss how to make use of JAAS with EJB. EJB is a business component. All the business processing logic goes into an EJB. The logic can be data oriented (Entity Beans) or process oriented (Session Beans). So securing EJB is a must. To show how to use JAAS in securing an EJB, I will be using Session Beans and the façade pattern.