Ian,
I have understood partially what you have said regarding two types of
secuity., but still I would like to clarify some things.
What do you exactly mean by "Protected Domain" ?I am not clear with this
hence confusing with its authentication, system principal and user
principal.Can you please elaborate regarding ths same??
Secondly we have to define the users, roles, ACLs in weblogic properties
file as well as deployment descripter at the start. But if we have to
dynamically add users and grant different rights or roles to users at run
time is there any way out??Because if there are large number of users and
roles it would be very difficult to handl the properties file.
Please let me know regarding the same.
Thanks And Regards
Deepali
Deepali wrote:
> I wanted to actually know more about EJB Security.
>
> I am trying to use Weblogic as tool and explore various facets of
> EJB.I want to use SQL server as database for my application.I know that
> Weblogic provides various security facilities to declare users,
principals,
> ACLs in the Weblogic properties files and defining the ACLs in deployment
> descripter, the application can use the features of security.
> But, I wanted to know is it possible to use EJB and use the
> securities features by defining users table, acls table and groups table
in
> database or is it possible to use the features of SQL server itself.I
have
> tried to find more information regarding the same , but however failed to
> get more.
> I have tried to run the existing example in Weblogic that use RDBMS
> feature, but there are problems in executing the example.
The way security is designed to work in EJB applications is that EJB
security
facilities are used to control client access to the methods of the bean and
database security facilities are used to control EJB access to the
databases.
This second step is often misunderstood. It is well described in the J2EE
APM
beta draft section 10.2.1. This describes "container-managed
authentication",
where the container gets authority to access the database on behalf of a
"protection domain" and EJBs running in that container have automatic
access to
the database. A protection domain is authenticated using a system principle
rather than a specific user principle. Hence users do not need to be given
authorisation to access the database. (Apologies to security experts, I
know
I've simplified it a little)
Note that security exposures can result if ordinary business users ARE
authorised to access the database. A user who is not required by his role
in the
organisation to be able to modify any field of a database at any time
without
any sort of consistency checking should not be barred from doing so by mere
lack
of a mechanism - it should be written into the authorisation tables. The
scheme
described above achieves this.
Ian McCallion
CICS Business Unit
IBM Hursley
[EMAIL PROTECTED]
Tel: ++44-1962-818065
Fax: ++44-1962-818069
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
