Help coderanch get a
new server
by contributing to the fundraiser

Mark Egloff

Ranch Hand
+ Follow
since Dec 30, 2004
Merit badge: grant badges
For More
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Mark Egloff

Hello neel

What you like to display in the component diagram is alone your decision. I can not give you an answer on this.

Regarding declarative security, this is only a principle for authentication/authorization. Which means if you go for declarative you have not to include components regarding this. But other components which are related to a user activity you may have.

I recommend you to study some J2EE architectures as for instance "Struts", "Java ServerFaces" or "Cocoon" to get more experience of which components these consists and how these handle the process of a user activity. You have only to understand those architectures at high level. I did this and became the necessary understanding.

Hope this helps

[ April 03, 2005: Message edited by: Mark Egloff ]
Hello Ravi

I am still here, just let me sleep, work ,eat and then I am ready for you.
While I am located on the other side of the planet earth you may have to wait a few hours...

If you search for posts, articles and even read the recommended books they often talk only about EJB 1.1. EJB 2.0 possiblilites are sometimes mentioned but not handled in detail. For isntance they talk about the message model, but do not mention explicitely the Message driven Beans. Or they talk about the local interface regarding performance improvements, but not more. That's more or less all.

I got also a question in my first part of the certification between the difference of ejb 1.0 and ejb 1.1. There was no specific question regarding 2.0.

If you look at the overview of the certification at the sun webpage you also see no clear indication which standard is expected.

Sun Certified Enterprise Architect for J2EE Technology

have alos a look here:
Get the inside track on J2EE architect certification see at the end section "Future Exams"

Will Sun upgrade the EJB part of SCEA to EJB2.0 ?

I simple recommend to include in your description which standard you like to use and why. This will clarify all issues for the experts.

Regarding the class diagram, I don't see there a poinz why this should affect the class design. Search the forum for "technology independent" class diagram. I chosed this approach and got the full score.

So the olny thing which is affected is of course the component diagram. There you have clearly to define which standard and solution you take and why.

hope this helps

[ March 31, 2005: Message edited by: Mark Egloff ]

Originally posted by Manju Karthik:

This link explains declarative security for web applications and also how the users can be mapped to one role "Weak authentication". Hope this helps for those who have questions regarding declarative sec for web apps.


very good example... I looked myself very hard for a "CAPTCHA" possibility to include it in a forum I am know how this stuff is called... thanks!

You will become a good architect....
Hello saha

#a>swing client inside same network,inside same we need some kind of authentication and authorization here.

This is your decision. You are the architect

#b>swing client outside network ,connecting through tunnelling .Then how it is possible to authentication .can it be done declratively.can it be done programmtically.

Be careful this is not J2EE standard, the used underlying product have to support that.

#what does it mean.where i put this code into business delegate or where.or hardcoded in swing

This is using the JNDI standard. Which means you can use the directry service to transfer objects. To use JNDI for authorization and authentication can be seen as a standard, but not every container product supports it.

You have to put this code simple in your client. At which location depends on you
The trickhow it works is the "java.naming.provider.url" there you specify to which jndi service you are connecting. This is normally a runnig process/service inside your ejb container.

If you do then a RMI service call, the JNDI service is used in the background for lookup and connection. It uses therefore automatically the Context which you have created above.example:

I hope this clarifies your issues. However you do not have to go into the details during your assignment. Just mention in your description if you go for a declarative approach that the containers have to support principal propagation, because this is not a real J2EE standard as you have seen.

[ March 30, 2005: Message edited by: Mark Egloff ]
for the class diagram I used poseidonUML community edition... for the sequence diagram I switched then do Together 6.1.

Hello saha

Originally posted by neelArchitect saha:
My design swing directly connecting to EJB.How then authentication and authorization will be handled.As per my knowledge EJB can not do authentication

Ask your self how important is it to protect the ejb tier from the swing tier especially in this case ? This of course depends in which network zone the travel agents are located. Search the forum and you will find some answers.

By the way, some containers offer anown authentication or also authorization for J2EE client. i.e. as mentioned above Weblogic offer this by using JNDI. So if you like to go alos there for a declarative way you have to propagate the user principals in the J2EE client which is there programmatically. i.e. code which I personally use in a weblgic app

hope this helps.

Hello Manju

Originally posted by Manju Karthik:
Question on class diagram... Did you show attributes and operations in your class diagram. How abt composition/aggregation??

Please search the forum regarding these basic questions and you will find tons of answers.

Ask yourself, what will you expect from a good class diagram if you are a simple programmer? And you find the answer also in the assignment doc, means you have not to provide a full detail for each operation and attribute. Include only that which makes sense and necessary to understand how the classes are collaborating with each other.

My self I would expect from a class diagram to see the details especially for relations. If you do not show the directions or if it is an aggregation or composition then confusions by the programmer are predetermined.

[ March 30, 2005: Message edited by: Mark Egloff ]
Hello Manju.

Originally posted by Manju Karthik:

Understand that declarative security is for protected resources, which is specified in deployment descriptor. The users and user-role mapping are done via the app server console.

But, what about the end users userid/password which are stored in application database. When a login screen is provided, the user enters his user id and pwd (which the user himself had chosen during the registration process). The details provided will be verified with the userid/password stored in application db right? How is this userid mapped to the role for declarative security???

Your understanding is fine. In practise you are able to use the a dynamical mapping of the userid, but therefore you have to use the possiblilites of the underlying container product. Most containers provide you with specific realm classes which supports the lookup by JNDI or databases (or other possiblities). Have a look for instance at the Tomcat example above and on its homepage. There exist a "database realm".

In the end you are also able to do it fully declarative. However I would recommend to include in your description that the used container have to support this in order to give a clear understanding to the experts.


Originally posted by neelArchitect saha:

what is the role of intereception filter,if i do authentication and authorization in front controller itself?
can i use both intereception filter,and front controller it good design.

the interception filter is especially designed for doing tasks which are not related to the business logic but more related on the content (as the name says "filter"). The desing uses inside a "chain of responsibility" which allows a simple separation of concerns. Mostly are filters used for:

- content / resource filtering
- authentication or authorization
- logging
- any kind of interceptions (AOP)

If you do authorization and authentication in the front controller and still use a interception filter, it would in my eyes make no sense.

To have a front controller and intereception filter, makes sense because the front controller is responsible for the page flow and is realized as an MVC. It defines which logic/event handlers have to be called in order to collect the data from the business tier and controls which pages have to be called in which order to complete the process.

to get more information regarding the J2EE patterns and how to use them, have a look here:

SUN Core J2EE Patterns

hope this helps regards
This correct, if you like to go for the full declarative approach then you have not to use an intereception filter. Both containers will then do the authentication and authorization for you.

#I mean in design doc mentioning interception filter and declarative security is enough!!!

Hello saha

Of course you are right. This will be enough.

I just want to clarify how the declarative approach and principal propagation is working. While this is product dependent I recommend to mention this in the description. If you search in the forum regarding both things you find more questions then answers from others.

#In want to know in generic terms ,what are the components that we can use for authentication/authorization how these work.

There are several possiblities, which one you choose depends on you.

- Do it programmatically with Interception Filter. This would require a business call from the web tier to the ejb tier.

- Do it programmatically in the main servlet. This would also require a business call from the web tier to the ejb tier.

- Uste the declarative possiblity of your web container and verify that it is compatible with the ejb container product so that an automatic principal propagation is possible

- If the web container and ebj container are not compatible, you have to write your own realm class in the web container which propagates the principals. That is what I tried to explain in the posts above

hope this helps

Hello Jamy

Your questin is very common, search this forum and you will get information from others regarding your questions.

I did not change the provided BDOM except that I added of course classes or inserted it between two classes which had a releationship to each other.

My class diagram was technology independent (you will find a lot of discussions if you search the forum for this topic). This means I did not show them in the class diagram. I added it in my description and component diagram.

By the way I downloaded the source code from the newest jonas and did a quick look how the propagation works. Here the classes which are interesting, these classes do the marshalling of the security context:
// realm for newer tomcat versions (line 208) (holder for principals etc.) (byte marshalling)
// iiop or jrmp coomunication handlers

Hello Neel

Keep running don't give up. The fact why you are so confused is because there exist no "real" standard how the concept of the automatic user principals propagation is working. This is the magic of the underlying products. You as a servlet or EJB programmer has to follow the instructions of the tool/product provider.

For instance hava a look at there:Example for using security in JOnAS with Tomcat
in JOnAS you can just use a full declarative approach and you have no clue how the propagation is technically working. If you like to know you have to study the especially coded realm class ""

Weblogic for instance is using for User propagation the JNDI approach:
Using JNDI Authentication
So you will insert this programmatically from your servlet/jsp into a context which then is getting automatically propagated by the container to the ejb tier. May be there exists also some uttility/realm classes which does this then for you automatically if you are using the declarative approach in the web tier.

hope this helped you a little bit...

best regards
#Web based clients can be authenticated by to let the web container (running on the web servers) authenticate the user and then propagate the User Principalto the ejb container (security propagation) and then the ejb container can handle the authentication/authorization portion of it.

This is fine for me and where is now your confusion?

#In that case for SignOnFilter i have to mention AccountManager Fa´┐Żade ,AccountDAO etc.or just mentioning decl security handling is enough

I mnetioned the full level of design in my component diagramm and also in the description. I recommend to mention both (what kind of components your are using for authentication/authorization and how these work)

#In your architecture Swing client directly connects EJB tier or swing connects using protocol router as thin client .
If using protocol router then how you handle 5 secs performance issue.

You have to take assumptions and to mention them clearly in the description. So If you decide to connect directly to the EJB layer then you have to be ware of that the travel agents must be able to connect to this layer, so you have to define in which network zone the travel angents are located i.e. intranet or extranet?

I would recommend to keep the things clearly and simple. My assumption was that all travel agents are working for the same company and are located in the same network zone. Even if they work at differenct locations they could use VPN.