Chapter 7 Security
305
constraints. Such mechanisms allow only authentic caller identities to access com 
ponents. Since the J2EE application programming model focuses on permissions,
which indicate who can do what function, authentication and identity establish 
ment occur before authorization decisions are enforced.
After successful authentication, a credential is made available to the called
component. The credential contains information describing the caller through its
identity attributes. Anonymous callers are represented by a special credential.
These attributes uniquely identify the caller in the context of the authority that
issued the credential. Depending on the type of credential, it may contain other
attributes that define shared authorization properties (such as group member 
ships), which distinguish collections of related credentials. The identity attributes
and shared authorization attributes in the credential are collectively represented as
security attributes.
 Comparing the security attributes of the credential associated
with a component invocation with those required to access the called component
determines access to the called component.
In the J2EE architecture, a container serves as an authorization boundary
between the components it hosts and their callers. The authorization boundary
exists inside the container's authentication boundary so that authorization is con 
sidered in the context of successful authentication. For
inbound
calls, the con 
tainer compares security attributes from the credential associated with a
component invocation to the access control rules for the target component. If the
rules are satisfied, the container allows the call; otherwise, it rejects the call.
7.2.2.1
Declarative Authorization
Deployment establishes the container enforced access control rules associated with
a J2EE application. Generally, a deployment tool maps an application permission
model, which is defined in the deployment descriptor, to policy and mechanisms
specific to the operational environment.
The deployment descriptor defines logical privileges called 
security roles
 and
associates them with components. Security roles are ultimately granted permis 
sion to access components. At deployment, the security roles are mapped to iden 
tities in the operational environment to establish the capabilities of users in the
runtime environment. Callers authenticated by the container as one of these iden 
tities are assigned the privilege represented by the role.
The EJB container grants permission to access a method only to callers that
have at least one of the privileges associated with the method. The Web container
enforces authorization requirements similar to those for an EJB container. Secu 






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

 

Our web partners: Inexpensive Web Hosting Java Web Hosting personal webspace webspace php  linux webhost

 html web templates DreamweaverQuality Web Templates PSD Web Templates

cheap webhost j2ee web Hosting buy webspace ftp webspace adult webspace

frontpage WebHosting webspace hosting cheap webhost

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved

aol web hosting