2. Using the Tutorial Examples
3. Getting Started with Web Applications
5. JavaServer Pages Technology
7. JavaServer Pages Standard Tag Library
10. JavaServer Faces Technology
11. Using JavaServer Faces Technology in JSP Pages
12. Developing with JavaServer Faces Technology
13. Creating Custom UI Components
14. Configuring JavaServer Faces Applications
15. Internationalizing and Localizing Web Applications
16. Building Web Services with JAX-WS
17. Binding between XML Schema and Java Classes
19. SOAP with Attachments API for Java
21. Getting Started with Enterprise Beans
23. A Message-Driven Bean Example
24. Introduction to the Java Persistence API
25. Persistence in the Web Tier
26. Persistence in the EJB Tier
27. The Java Persistence Query Language
28. Introduction to Security in the Java EE Platform
29. Securing Java EE Applications
Accessing an Enterprise Bean Caller's Security Context
Declaring Security Role Names Referenced from Enterprise Bean Code
Declaring Security Roles Using Annotations
Declaring Security Roles Using Deployment Descriptor Elements
Defining a Security View of Enterprise Beans
Specifying an Authentication Mechanism
Mapping Security Roles to Application Server Groups
Using Enterprise Bean Security Annotations
Using Enterprise Bean Security Deployment Descriptor Elements
Deploying Secure Enterprise Beans
Accepting Unauthenticated Users
Accessing Unprotected Enterprise Beans
Enterprise Bean Example Applications
Example: Securing an Enterprise Bean
Building, Deploying, and Running the Secure Cart Example Using NetBeans IDE
Building, Deploying, and Running the Secure Cart Example Using Ant
Example: Using theisCallerInRole andgetCallerPrincipal Methods
Modifying Runtime Properties for the Secure Converter Example
Building, Deploying, and Running the Secure Converter Example Using NetBeans IDE
Building, Deploying, and Running the Secure Converter Example Using Ant
Troubleshooting the Secure Converter Application
Discussion: Securing the Duke's Bank Example
31. The Java Message Service API
32. Java EE Examples Using the JMS API
36. The Coffee Break Application
Securing EIS Applications
In EIS applications, components request a connection to an EIS resource. As partof this connection, the EIS can require a sign-on for the requester toaccess the resource. The application component provider has two choices for the designof the EIS sign-on:
In the container-managed sign-on approach, the application component lets the container take the responsibility of configuring and managing the EIS sign-on. The container determines the user name and password for establishing a connection to an EIS instance. For more information, readContainer-Managed Sign-On.
In the component-managed sign-on approach, the application component code manages EIS sign-on by including code that performs the sign-on process to an EIS. For more information, readComponent-Managed Sign-On.
You can also configure security for resource adapters. ReadConfiguring Resource Adapter Security for moreinformation.
Container-Managed Sign-On
In container-managed sign-on, an application component does not have to pass any sign-onsecurity information to thegetConnection() method. The security information is supplied by thecontainer, as shown in the following example.
// Business method in an application componentContext initctx = new InitialContext();// Perform JNDI lookup to obtain a connection factoryjavax.resource.cci.ConnectionFactory cxf = (javax.resource.cci.ConnectionFactory)initctx.lookup( "java:comp/env/eis/MainframeCxFactory");// Invoke factory to obtain a connection. The security// information is not passed in the getConnection methodjavax.resource.cci.Connection cx = cxf.getConnection();...
Component-Managed Sign-On
In component-managed sign-on, an application component is responsible for passing the needed sign-onsecurity information to the resource to thegetConnection method. For example, securityinformation might be a user name and password, as shown here:
// Method in an application componentContext initctx = new InitialContext();// Perform JNDI lookup to obtain a connection factoryjavax.resource.cci.ConnectionFactory cxf = (javax.resource.cci.ConnectionFactory)initctx.lookup( "java:comp/env/eis/MainframeCxFactory");// Get a new ConnectionSpeccom.myeis.ConnectionSpecImpl properties = //..// Invoke factory to obtain a connectionproperties.setUserName("...");properties.setPassword("...");javax.resource.cci.Connection cx = cxf.getConnection(properties);...Configuring Resource Adapter Security
A resource adapter is a system-level software component that typically implements network connectivityto an external resource manager. A resource adapter can extend the functionality ofthe Java EE platform either by implementing one of the Java EE standardservice APIs (such as a JDBC driver), or by defining and implementing aresource adapter for a connector to an external application system. Resource adapters canalso provide services that are entirely local, perhaps interacting with native resources. Resourceadapters interface with the Java EE platform through the Java EE service providerinterfaces (Java EE SPI). A resource adapter that uses the Java EE SPIsto attach to the Java EE platform will be able to work withall Java EE products.
To configure the security settings for a resource adapter, you need to editthera.xml file. Here is an example of the part of anra.xmlfile that configures the following security properties for a resource adapter:
<authentication-mechanism> <authentication-mechanism-type>BasicPassword</authentication-mechanism-type> <credential-interface> javax.resource.spi.security.PasswordCredential </credential-interface></authentication-mechanism><reauthentication-support>false</reauthentication-support>
You can find out more about the options for configuring resource adapter securityby reviewingas-install/lib/dtds/connector_1_0.dtd. You can configure the following elements in the resource adapterdeployment descriptor file:
Authentication mechanisms
Use the authentication-mechanism element to specify an authentication mechanism supported by the resource adapter. This support is for the resource adapter and not for the underlying EIS instance.
There are two supported mechanism types:
BasicPassword: This mechanism supports the interfacejavax.resource.spi.security.PasswordCredential.
Kerbv5: This mechanism supports the interfacejavax.resource.spi.security.GenericCredential. The Application Server does not currently support this mechanism type.
Reauthentication support
Use thereauthentication-support element to specify whether the resource adapter implementation supports re-authentication of existingManaged-Connection instances. Options aretrue orfalse.
Security permissions
Use thesecurity-permission element to specify a security permission that is required by the resource adapter code. Support for security permissions is optional and is not supported in the current release of the Application Server.
The security permissions listed in the deployment descriptor are ones that are different from those required by the default permission set as specified in the connector specification.
Refer to the following URL for more information on Sun’s implementation of the security permission specification:http://download.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html#FileSyntax.
In addition to specifying resource adapter security in thera.xml file, youcan create a security map for a connector connection pool to map anapplication principal or a user group to a back end EIS principal. Thesecurity map is usually used in situations where one or more EISback end principals are used to execute operations (on the EIS) initiated byvarious principals or user groups in the application.
Mapping an Application Principal to EIS Principals
When using the Application Server, you can use security maps to mapthe caller identity of the application (principal or user group) to a suitableEIS principal in container-managed transaction-based scenarios. When an application principal initiates a request toan EIS, the Application Server first checks for an exact principal using thesecurity map defined for the connector connection pool to determine the mapped backend EIS principal. If there is no exact match, then the Application Serveruses the wild card character specification, if any, to determine the mapped back-endEIS principal. Security maps are used when an application user needs to executeEIS operations that require to be executed as a specific identity in theEIS.
To work with security maps, use the Admin Console. From the AdminConsole, follow these steps to get to the security maps page:
Expand the Resources node.
Expand the Connectors node.
Select the Connector Connection Pools node.
Select a Connector Connection Pool by selecting its name from the list of current pools, or create a new connector connection pool by selecting New from the list of current pools.
Select the Security Maps page.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.Legal Notices