The first article in this two-part tutorial discussed how to secure web components when using the JAAS framwork. Since J2EE components are divided into web components and business components, the next logical step is to learn how to secure business components. That is the topic of this article.
JAAS, Securing EJB - JAAS and EJB- Implementing JAAS for EJB (Page 3 of 4 )
The first question that arises is, what is a façade pattern and how is it relevant in this discussion. A façade pattern, if we go by the definition, is “An interface that provides a unified interface to a set of interfaces in a sub-system.” In other words, a façade is a class or an interface that acts like a gateway to another class, interface or a set of interfaces.
In the context of EJB, a Session Bean acts as a gateway to another Session Bean or to an Entity Bean. This pattern is more in use where Entity Beans are used. The reason for this involves the optimized use of the network. If clients make requests directly to an Entity Bean, the network could get congested because the Entity Bean may be contacting the database server through the same server. Hence a Session Bean is kept at the ‘gateway’ to the Entity Bean. No external entity (read client) can contact the Entity Bean by bypassing the Session Bean. Thus the Session Bean can even cache a previous result from the Entity Bean and reuse it. This reduces the network usage.
In the context of security, the façade pattern helps by providing a single authentication point. The Session Bean that acts as a façade can contain authentication and authorization code. In this way, a client can be authenticated, even before the request is passed on to the Entity Beans. Now let’s see how it’s done.
In securing an EJB, there are two approaches. They are:
Authenticating the client using JAAS.
Authenticating the user within the EJB using a combination of programmatic and declarative security.
Authenticating the client using JAAS
In this approach, the authentication routines reside outside the EJB. The check is done when a web client requests service of an EJB. The servlet-filter intercepts the request and authenticates the user on whose behalf the request is being made. As you may remember, this is just an extension of the securing web component approach. The beauty of this approach is that the authentication is done without interfering with the business components.