Can someone explain what the simplest way would be to prevent an "unauthorized" client to make remote EJB calls? For example, I know of the ConnectionFilters that you can implement in weblogic, which can prevent remote callers from making T3 or IIOP calls if they're not from an authorized IP, etc. This is a good start but ideally I would want to password protect the EJBs, and any EJB client would have to provide this username/password somehow. Or possibly use two-way SSL for t3? The client app would have to provide a certificate to prove that it's trusted.
To be clear, I don't think I need the container to handle any very fine-grained access control. I just want to make sure that the client (e.g., a webapp) is a trusted one. Once the EJB container is satisfied that the client is trusted (preferably by user/pass) then the client is free to execute any EJB methods.
Why not use JAAS to secure your EJBs and then your remote clients need to add
to their context lookup properties.
See if this explains better :http://docs.oracle.com/cd/B32110_01/web.1013/b28957/ejbsec.htm
Joined: Jan 25, 2008
ok, thanks for the reply ... but what you are describing is JNDI lookup security, isn't it? I saw this thread: