Chapter 7 Security


305


constraints. Such mechanisms allow only authentic caller identities to access com 


ponents. Since the J2EE application programming model focuses on permissions,


which indicate who can do what function, authentication and identity establish 


ment occur before authorization decisions are enforced.


After successful authentication, a credential is made available to the called


component. The credential contains information describing the caller through its


identity attributes. Anonymous callers are represented by a special credential.


These attributes uniquely identify the caller in the context of the authority that


issued the credential. Depending on the type of credential, it may contain other


attributes that define shared authorization properties (such as group member 


ships), which distinguish collections of related credentials. The identity attributes


and shared authorization attributes in the credential are collectively represented as


security attributes.


 Comparing the security attributes of the credential associated


with a component invocation with those required to access the called component


determines access to the called component.


In the J2EE architecture, a container serves as an authorization boundary


between the components it hosts and their callers. The authorization boundary


exists inside the container's authentication boundary so that authorization is con 


sidered in the context of successful authentication. For


inbound


calls, the con 


tainer compares security attributes from the credential associated with a


component invocation to the access control rules for the target component. If the


rules are satisfied, the container allows the call; otherwise, it rejects the call.


7.2.2.1


Declarative Authorization


Deployment establishes the container enforced access control rules associated with


a J2EE application. Generally, a deployment tool maps an application permission


model, which is defined in the deployment descriptor, to policy and mechanisms


specific to the operational environment.


The deployment descriptor defines logical privileges called 


security roles


 and


associates them with components. Security roles are ultimately granted permis 


sion to access components. At deployment, the security roles are mapped to iden 


tities in the operational environment to establish the capabilities of users in the


runtime environment. Callers authenticated by the container as one of these iden 


tities are assigned the privilege represented by the role.


The EJB container grants permission to access a method only to callers that


have at least one of the privileges associated with the method. The Web container


enforces authorization requirements similar to those for an EJB container. Secu 








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      
 

    

  

  




Our web partners:
Inexpensive 
Web Hosting 



Java Web Hosting


personal webspace


webspace php 


linux webhost
 




 html web templates




DreamweaverQuality Web Templates


PSD Web Templates
 





cheap webhost


j2ee web Hosting


buy webspace


ftp webspace


adult webspace
 





frontpage WebHosting


webspace hosting


cheap webhost


Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved



aol web hosting