I've never used security in EJB. Chapter 11 "Security in EJB" from HFE is written very good concerning DD but as always there are no working examples at all. The most misty part is the deployer's job: "mapping actual humans to abstract roles". We understand that mapping happens outside of the EJB specification and is vendor-specific. But what's the point if I can't try this feature. How does actually mapping works when username and password are supplied to a EJB application?
The deployer needs to set up the roles that the DD contains as well as map users to roles. Also, the users need to have their passwords mapped to their user names. Initially, someone needs to set up a security realm for the container. The realm is where the above information will be stored. One example is a database. Another could just be a container's proprietary file. Containers are generally compatible with multiple realm types. Someone must tell the container where to look to authenticate users before any security can be in place for ejbs or web applications for that matter. The easiest way to do some security tests is to use the container's proprietary file, (called a memory realm), and just enter in a couple different people in a couple different roles.
thank you , but I don't understand how to set up such a securite realm. Suppose we use database and I insert there a couple of pairs username-password. Suppose I use rich client to authenticate the user. The loging window contains 2 text fields(username field and pass field) and two buttons (OK,CANCEL). How the container will know how to map Principles(Abstract actor) and real users(the data in the DB)?
Originally posted by Todor Mollov: The loging window contains 2 text fields(username field and pass field) and two buttons (OK,CANCEL). How the container will know how to map Principles(Abstract actor) and real users(the data in the DB)?
Hi Insucha case you have to use JAAS. Remember EJB does not deal with the front end. So with the help of JAAS you have to Authorised your user. Onece this is done you can use this principle to in EJB context. Please refer to the sun website for JASS documentation. Hope this helps.