300


J2EE Platform Security Model


7.2.1.1


Protection Domains


The J2EE platform makes it possible to group entities into special domains, called


protection domains, so that they can communicate among themselves without


having to authenticate themselves. A 


protection domain 


is a logical boundary


around a set of entities that are assumed or known to trust each other


. 


Entities in such


a domain need not be authenticated to one another. 


Figure 7.2 illustrates an environment using protection domains. It shows how


authentication is required only for interactions that cross the boundary of a protec 


tion domain. Interactions that remain within the protection domain do not require


authentication. Although authentication is not required within this realm of trust,


there must be some means to ensure that unproven or unauthenticated identities do


not cross the protection domain boundary. In the J2EE architecture, a container


provides an authentication boundary between external callers and the components


it hosts. Furthermore, the architecture does not require that the boundaries of pro 


tection domains be aligned with the boundaries of containers. The container's


responsibility is to enforce the boundaries, but implementations are likely to


support protection domains that span containers.


The container ensures that the identity of a call is authenticated before it


enters the protection domain; this is usually done with a credential, such as an


X.509 certificate or a Kerberos service ticket. A credential is analogous to a pass 


port or driver's license. The container also ensures that outgoing calls are properly


identified. Maintaining proper proof of component identity makes it easier for


interacting components to trust each other. A J2EE developer can declaratively


specify the authentication requirements of an application for calls to its compo 


nents (such as enterprise beans or JSPs) and for outbound calls that its compo 


nents make to access other components and resources.


The deployment descriptor holds declarations of the references made by each


J2EE component to other components and to external resources. These declara 


tions, which appear in the descriptor as 


ejb ref


 elements, 


resource ref


 ele 


ments, and 


service ref


 elements, indicate where authentication may be


necessary. The declarations are made in the scope of the calling component, and


they serve to expose the application's inter component or resource call tree.


Deployers use J2EE platform tools to read these declarations, and they can then


use these references to properly secure interactions between the calling and called


components. The container uses this information at runtime to determine whether


authentication is required and to provide the mechanisms for handling identities


and credentials.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      
 

    

  

  




Our web partners:
Inexpensive 
Web Hosting 



Java Web Hosting


personal webspace


webspace php 


linux webhost
 




 html web templates




DreamweaverQuality Web Templates


PSD Web Templates
 





cheap webhost


j2ee web Hosting


buy webspace


ftp webspace


adult webspace
 





frontpage WebHosting


webspace hosting


cheap webhost


Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved



aol web hosting