Security is an important issue in the development and deployment of all enterprise-based applications. This security is implemented using the container's support for security specified within the EJB specification. The EJB framework is designed to have security built within the container allowing the implementation of security to be effortless.
The EJB security model is designed for the enterprise-based applications and should not be used if EJBs are not being used. The process of implementing this security within EJBs is defined based on the security requirements needed within your implementation. Implementing this typically requires the following:
Defining users and groups
Associating application resources to users or groups
Providing efficient and different methods of maintaining security
Implementing logic to validate security at runtime
Implementing tools to mange users, groups, and privileges
Authentication is the process of verifying that a client is who they claim to be. Authentication is the basis from which the remaining portions of the security model are constructedthe foundation. Many different authentication mechanisms are available in most EJB containers. For example, Borland's Enterprise Server contains authentication with JDBC, LDAP, JDatastore, or the implementation of a custom security class.
Authorization is the process of giving rights to the underlying implementation. For example, you might require a certain set of rights to call a given method. Authentication can be implemented via the container, or you can programmatically implement the security within the bean home interface. To help visualize the implementation of the authorization mechanisms, take a look at the security sequence diagram shown in Figure 23.16.Figure 23.16 Sequence diagram for illustrating server-based authentication.
Secure communication is probably the simplest to implement but the most complex if you look at what is hidden from you in the details. JBuilder does not offer any special features to either manage or implement secure communication; this is simply a feature of the container. For example, Borland Enterprise Server can communicate either between the clients or between other J2EE servers using SSL configured through the use of the container's console.
JBuilder's support is actually simple. It is divided into two sections. The first is the capability to define the roles that will be available to the security editor in order (see Figure 23.17).
The second is the capability to assign security to any interface or method based on the role of the end-user (see Figure 23.18).
Figure 23.17 Building new roles for the security domain.
Figure 23.18 Assigning roles to either an interface, method, or both.