I'm working on my Part 2 assignment and I choose a distributed architecture.
I have a Web Server located in a DMZ and an Application Server located in the company's intranet.
I have the following questions:
1/ Do I need to secure the RMI communications between the Web Server and the Application Server ? or can I assume that the firewall will do the job ?
2/ Do I need to establish a "trust domain" between my two servers ? How can I do it ?
3/ Do I need to secure my EJB ? Do I need to login in the application server ?
1. Usually in a real world enviornment you do not need to, your webserver is in DMZ and app server is in inner firewall. I believe it is fair to assume that whoever is in your company network is not trying to break in
2. In my opinion declarative J2EE roles based security is practical, since your app server is in inner firewall you do not worry about requests coming from internet directly to your app server
3. Security context can be propagated to you app server from web server