Chapter 2 Securing Component Access
EAServer 4.0 implements J2EE version 1.3 security requirements, including Java and C++ ORB support and CORBA Secure Interoperable version 2 protocol (CSIv2). CSIv2 is part of EJB version 2.0 interoperability requirements, and supports:
For more information about J2EE version 1.3, see the Java Web site http://java.sun.com/j2ee .
For more information about servlet technology, see the Java Web site http://java.sun.com/products/servlet/index.html .
For more information about CSIv2, see the OMG Web site http://www.omg.org/technology/documents/formal/omg_security.htm
EJB 2.0 components use caller propagation to pass client information between servers for authentication, whereas run-as support allows EJB 2.0 components to perform method invocations on other components using a different identity.
Caller propagation allows an EJB 2.0 RMI/IIOP client to pass principal information to a server and have that information propagated to other servers. In other words, EAServer 4.0 can pass a client's user name or X.509 certificate information from an EJB on one server, to an EJB on a different server. For example:
To enable caller propagation for EJB component calls made
in servlet or component code, you must specify a corbaname
URL
in the EJB Reference properties for the EJB component, servlet,
or JSP that issues the call.
For information on interoperable naming URLs, see "EAServer EJB Interoperability" in the EAServer Programmer's Guide.
Normally, when a component calls another component, the invocation uses the client's credentials. You can use identities to specify alternate credentials for intercomponent calls. Identities map logical identity names to a user name, password, and required SSL session characteristics. The identity names are used in the run-as mode settings for components and component methods.
Run-as support enables an EJB 2.0 component to perform method invocations on other components using a specified identity. This identity can be configured at deployment time. In the standard EJB 2.0 deployment descriptor, the run-as property is expressed in terms of a role. The role is a name of a security-role element defined in the same deployment descriptor. It is expected that at deployment time, or when configuring a new EJB, the role name should be defined. Further, the deployer selects a Jaguar identity that is expected to be present in this role. This Jaguar identity is used while invoking another EJB. The run-as feature can be enabled via Jaguar Manager.
To enable use of the run-as identity for EJB component calls
made in component code, you must specify corbaname
URLs
in the EJB Reference properties for the EJB component that issues
the call. For information on interoperable naming URLs, see the "EAServer
EJB Interoperability" chapter in the EAServer
Programmer's Guide.
Configuring an EJB 2.0 component to run as a different identity
specified
.
You can configure a run-as identity application or server-wide. This provides a convenient way to globally set the run-as identity for all of the EJBs in an application or server.
Configuring EJB 2.0 components or servlets to run as a different identity at the application or server level
You can check the setting of your run-as identity from the
All Properties tab by viewing the com.sybase.jaguar.server.security.runasidentity
property,
and the com.sybase.jaguar.application.security.runasidentity
property. Do
not set the run-as identity in the All Properties tab since these
values are overwritten by the values set in the Security tab.
Identities defined in Jaguar Manager configure client identities (user names, SSL certificates, or Entrust users) that can be assumed by executing components. For caller propagation, EAServer requires an identity to propagate a remote client's credentials to another server when it cannot include, as part of the request, the client's authentication data (password or a private key corresponding to a X.509 certificate). You configure a server (or container) to trust a set of identities that vouch for the client. These identities are known as trusted identities.If a target server trusts an intermediate server, it is implied that the target server trusts all servers trusted by the intermediate server.A server or container needs to establish a list of identities it trusts. Servers and containers use identities for the purpose of authentication. Other servers need to know the list of trusted identities for a server while connecting to it.
An identity is required when a server is making remote IIOP or IIOPS connections to other servers, and is not necessary for in-server or in-memory component calls. Use Jaguar Manager to establish this identity at the server or application level.
Configuring a security identity for outgoing interserver calls
You can check the setting of your security identity from the
All Properties tab by viewing the com.sybase.jaguar.server.security.identity
property,
and the com.sybase.jaguar.application.security.identity
property.
Do not set the security identity in the All Properties tab since
these values are overwritten by the values set in the Security tab.
A trusted identity vouches for someone else and is always authenticated by the peer. Establish a list of trusted identities at the server or application level.
Establishing a list of trusted identities for incoming interserver calls
Use the Remove button to remove a trusted identity.
You can check the settings of your trusted identities from
the All Properties tab by viewing the com.sybase.jaguar.server.trustedidentities
property,
and the com.sybase.jaguar.server.applicaiton.trustedidentities
property.
Do not set trusted identities in the All Properties tab since these values
are overwritten by the values set in the Security tab.
This section describes how to propagate servlet credentials between servers and how to use identities to map logical identity names to a user name, password, and required SSL session characteristics. The identity names are used in the run-as mode settings on Beans called from a servlets.
A servlet's or JSP's HTTP client credentials are propagated when EJBs are invoked on remote servers. Earlier versions of EAServer propagated user name/password or digital IDs, and only within the same server.
Run-as support for servlets is similar to run-as support for EJBs:
To enable run-as support for servlets or JSPs, the servlet
or JSP must be installed in a Web application. Additionally, you
must specify corbaname
URLs
in the EJB Reference properties for the servlet or JSP that issues
the call. For information on interoperable naming URLs, see "EAServer
EJB Interoperability" in the EAServer Programmer's
Guide.
From Jaguar Manager, configure the run-as identity as follows:
specified
.
You can configure a run-as identity application or server-wide. This provides a convenient way to globally set the run-as identity for all of the servlets/JSPs in an application or server. See "Configuring EJB 2.0 components or servlets to run as a different identity at the application or server level" for more information.
The EJB 2.0 and Servlet 2.3 specifications introduce the following restrictions for EJB 2.0 components and servlets:
The effect of the com.sybase.jaguar.server.ejb.role.default property on EJB 2.0 components in EAServer 4.0 differs from EAServer version 4.1 and later:
Copyright © 2002 Sybase, Inc. All rights reserved. |