In this blog post, I will try to provide a short primer on security with EJBs.
Client Side:
For EJBs, you can pass the security context from client side in two ways:
a) Username/Password via properties into initial context
Properties p = new Properties();
p.put(Context.SECURITY_PRINCIPAL, "principalName");
p.put(Context.SECURITY_CREDENTIALS, "pass");
Context ic = new InitialContext(p);
Object ejbHome = ic.lookup("someejb");
AccountHome accountHome = (AccountHome)javax.rmi.PortableRemoteObject.narrow(ejbHome, AccountHome.class);
b) Do an explicit JAAS login before doing InitialContext
LoginContext lc = new LoginContext("someconfig");
lc.login();
Context ic = new InitialContext();
Object ejbHome = ic.lookup("someejb");
AccountHome accountHome =(AccountHome)javax.rmi.PortableRemoteObject.narrow(ejbHome, AccountHome.class);
NOTE: Do not forget your try/catch/finally blocks above.
General JNDI security is highlighted here:
http://java.sun.com/products/jndi/tutorial/ldap/security/index.html
Server Side:
On the server side, the EJBs are packaged in a jar file. This jar file can also be packaged in an EAR (Enterprise Archive). For EJB2, the security descriptors go in the ejb-jar.xml via the method permission elements. You define the roles that can access the methods of EJBs. You can also define "run-as-identity" to propagate a role to other deployments.
Do remember to create a jboss.xml to define a security domain.
Monday, May 5, 2008
Saturday, May 3, 2008
Incorporating Secure Coding Guidelines in Curriculum
An interesting read on Mary Ann Davidson's blog on the Supply Chain Problem. Mary is the Chief Security Officer of Oracle Corporation. She brings out some excellent observations about the lack of security education in universities as part of regular curriculum. The "Time To Market" and "Please The Market" courses have kind of engulfed the typical curriculum. Hence the traditional Computer Science courses have taken the back seat. If developers have no clue what the O-notation means, what depth-first/breadth first search or traversal means etc, then you can visualize the quality of software over time.
Do we need to incorporate secure coding practices in to the curriculum of Computer Studies? I am sure having at least one mandatory course will not be bad. Question is where will the colleges find the right faculty to teach Security..... Now that is a interesting question to be answered.... The right things would be to inculcate security into the relevant courses.
But what Mary is pushing for is a necessity of the software industry.
Do we need to incorporate secure coding practices in to the curriculum of Computer Studies? I am sure having at least one mandatory course will not be bad. Question is where will the colleges find the right faculty to teach Security..... Now that is a interesting question to be answered.... The right things would be to inculcate security into the relevant courses.
But what Mary is pushing for is a necessity of the software industry.
Tuesday, April 29, 2008
Oasis SAML and XACML Presentation
I am going to be making a presentation on Oasis SAML and XACML at the ExpeditionWorkshop (Exploring Identity Management Landscape) at NIST.
The workshop page is located here.
If you would like to take a peek at my presentation, then click here.
Oasis SAML v2 is a specification that deals with Federated Identity and Oasis XACML v2 is a specification that deals with access control.
Examples:
If you need to take a peek at SAML2 payload carrying XACML2 request/response, then please take a look at my other post.
The workshop page is located here.
If you would like to take a peek at my presentation, then click here.
Oasis SAML v2 is a specification that deals with Federated Identity and Oasis XACML v2 is a specification that deals with access control.
Examples:
If you need to take a peek at SAML2 payload carrying XACML2 request/response, then please take a look at my other post.
Subscribe to:
Posts (Atom)