- To secure Enterprise JavaBeans (EJBs), J2EE architecture security model is supported by WebLogic Server
- Securing the EJB authorization includes declarative authorization and programmatic authorization
- J2EE architecture has a container that serves as an authorization boundary between the components, its hosts and their callers
- Authorization container resides within the container’s authentication boundary in order to implement the secure authentication process
- Container allows the call only after it validates the credentials of the callers along with control rules (capabilities and permissions) for the target component
Declarative Security with EJBs
- EJB or the Enterprise JavaBeans Technology is Java EE’s server-side component architecture. It helps in developing portable, secure, traditional and distributed applications
- Deployment descriptors such as ejb-jar.xml and weblogic-ejb-jar.xml are used in the EJBs to implement declarative security
- These descriptors are used for the purpose of defining security specifications
- The EJB container uses such security definitions at runtime to enforce the requirements
- Descriptors also map the application’s security specifications with its runtime definitions
Declarative Security with EJBs (Cont’d)
- Following are the steps to configure security in the EJB deployment descriptors:
- Use a text editor to create ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptor files
- Define constraints for security role name, EJB name and the method name in ejb-jar.xml file
- Security role names are case sensitive; follow some restrictions and conventions when specifying role names
- In weblogic-ejb-jar.xml descriptor file, define security role name and associate it to one or multiple principals (users or groups) in a security realm
- The following code shows the mapping of security role names to a security realm by using ejb-jar.xml and weblogic-ejb-jar.xml files
Cheng® 