Securing enterprise bean applications

 

Overview

One can protect enterprise bean methods by assigning security roles to them. So, you need to know which EJB methods need protecting and how.

 

  1. Open the EJB application file.

    This file can be an EJB .jar file or an application .ear file that contains one or more EJB modules. To open the EJB application file click File > Open and browse. Select the EJB application file.

  2. Create security roles.

    One can create security roles at the application level or at the EJB module level. If you create a security role at the EJB module level, the role displays in the application level. If a security role is created at the application level, the role does not appear in all the EJB modules. One can copy and paste one or more EJB module security roles that you create at application level:

    1. Create a role at application level by right-clicking Security Roles under the application folder. Click New. Type the role name. If the role created for the application is required for an EJB module, select that role from the application, copy it and right-click the EJB module Security Roles. Click Paste.

    2. To create a role at an EJB module level, open the corresponding EJB module folder. Right-click Security Roles under the EJB module and click New. Type the role name.

  3. Create method permissions. Method permissions is a mapping of one or more methods to a set of roles. An enterprise bean has four types of methods: Home methods, Remote methods, LocalHome methods and Local methods.

    1. To create a new method permission in an EJB module, open the EJB module folder. Right-click MethodPermissions and click New. A new panel displays.

    2. Type the method permission name and description.

    3. Add methods by clicking Add under Methods. Browse and select the required methods. An asterisk (*) indicates all methods.

    4. Add the required roles for the methods by clicking Add under Roles. Browse and click the required roles. If a set of methods needs to be unprotected, select the check box. Click OK when done.

  4. Exclude user access to methods. Users cannot access excluded methods. Any method in the enterprise beans that is not assigned to a role or is not excluded, is deselected during the application installation by the deployer.

    1. Exclude one or more methods by right-clicking Exclude List under the EJB module folder. Click New. A new panel displays.

    2. Type the description explaining why these methods are excluded.

    3. Add methods to exclude by clicking Add. Browse and click the methods to exclude. Click OK when done.

  5. Map security-role-ref and role-name to role-link. During the development of enterprise beans, you can create the security-role-ref element using development tools such as WebSphere Studio Application Developer. The security-role-ref element contains only the role-name field. The role-name field determines if the caller is in a specified role(isCallerInRole()) and contains the name of the role that is referenced in the code. Since you create security roles during the assembly stage, the developer uses a logical rolename in the role-name field and provides enough information in the description field for the assembler to map the actual role (role-link). The security-role-ref element is located at the EJB level. Enterprise beans can have zero or more security-role-ref elements.

    1. Open the required EJB folder and click Security Role References to map role-name to role-link for a security-role-ref element.

    2. Click each role-name on the right navigation panel and click the role that you intend to map to that role-name by selecting a role from the list of the link.

    3. Right-click Security Role References and click New if you did not create the security-role-ref element during development. A new panel displays.

    4. One can enter the role-name in the Name field and the role-link in the Link field by selecting a proper role from the list. One can also add a proper description in the Description field.

    5. Map every role-name used during development to the role (role-link) using the previous steps.

  6. Specify the RunAs Identity for enterprise beans components.

    The RunAs Identity performs an authorization check on the next enterprise bean. If the RunAs Identity is not specified, the client identity is propagated to the next enterprise bean. The RunAs Identity can represent each of the enterprise beans or can represent each method in the enterprise beans.

    Set the RunAs Identity for the enterprise bean component, by clicking...

    enterprise beans | security | Security Identity check box | Run-As mode | role name

    Set the RunAs Identity at the method level by going to...

    EJB folder | Method Extensions | Advanced tab |

    ...and selecting the required methods from the top of the panel and select the Security Identity check box. Click Run-As Mode. Selecting System Identity implies that the invocation is done using the WebSphere Application Server security server ID. Use this ID with caution because this ID has more privileges.

    Click the Role Name from the list, if the specified identity is selected.

 

After securing an EJB application, the resulting .jar file contains security information in its deployment descriptor. The security information of the EJB modules is stored in the ejb-jar.xml file.

After securing an EJB application using an assembly tool, you can install the EJB application using the administrative console. During the installation of a secured EJB application, follow the steps in the Deploying Secured Applications article to complete the task of securing the EJB application.

Role-based authorization
Delegations
Enterprise bean component security
Security permissions assembly settings
Security: Links

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.