OCEJBCD (SCBCD) - 1Z0-895 - Enterprise JavaBeans Developer Certification
11.1. Understand the JavaEE security architecture
-Declarative security (using deployment description and annotations)
-Programmatic security
More details in securing java beans section from javaEE tutorial.
11.2. Authenticate the caller
Authenticate on a remote EJB can be done by JNDI:
properties.put(Context.SECURITY_PRINCIPAL, "usename");
properties.put(Context.SECURITY_CREDENTIALS, "password");
Context jndiContext = new InitialContext(properties);
Object ref = jndiContext.lookup("SecureBean/remoteObject");
11.3. Examine JavaEE authorization strategies
Details about web application security can be review here.
Data is encoded in base64 (not encrypted).
Creating a custom login form.
data are sent in http request with no encryption.
In the Form authentication type the loginPage should be defined (using these three fields: j_security_check, j_username, j_password
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="Enter">
</form>
Data is encrypted (not SSL) but not all JEE containers support it.
Using Publick Key Certificates
Clients need to have a certificate to use it.
11.4. Use declarative authorization
Annotations:
@DeclareRoles (class level)
@RolesAllowed (class or method level)
@PermitAll(class or method level)
@DenyAll (class or method level)
These annotations can be used at class or method level. At class level means that those roles will be applied to all the method in the class. The annotation at method level will override the class annotation.
Java Security identity between the client and EJBcontainer is the identity of the caller.
Propagating security between EJB containers by default will be the identity of the caller, but also can be specified configuring the bean with annotation(@RunAs("nameOfTheRole"))
Message-driven beans have only @Run As as identity, they are not allowed to use method permissions or execute under caller identity.
11.5. Use programmatic authorization
Methods from javax.ejb.EJBContext
-getCallerPrincipal()
-isCallerInRole("role")
11.6. Examine the responsibilities of the deployer
11.1. Understand the JavaEE security architecture
-Declarative security (using deployment description and annotations)
-Programmatic security
More details in securing java beans section from javaEE tutorial.
11.2. Authenticate the caller
Authenticate on a remote EJB can be done by JNDI:
properties.put(Context.SECURITY_PRINCIPAL, "usename");
properties.put(Context.SECURITY_CREDENTIALS, "password");
Context jndiContext = new InitialContext(properties);
Object ref = jndiContext.lookup("SecureBean/remoteObject");
11.3. Examine JavaEE authorization strategies
Details about web application security can be review here.
- Basic Authentication
Data is encoded in base64 (not encrypted).
- Form-based authentication
Creating a custom login form.
data are sent in http request with no encryption.
In the Form authentication type the loginPage should be defined (using these three fields: j_security_check, j_username, j_password
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="Enter">
</form>
- Digest authentication
Data is encrypted (not SSL) but not all JEE containers support it.
- Client authentication
Using Publick Key Certificates
Clients need to have a certificate to use it.
- Mutual authentication
11.4. Use declarative authorization
Annotations:
@DeclareRoles (class level)
@RolesAllowed (class or method level)
@PermitAll(class or method level)
@DenyAll (class or method level)
These annotations can be used at class or method level. At class level means that those roles will be applied to all the method in the class. The annotation at method level will override the class annotation.
Java Security identity between the client and EJBcontainer is the identity of the caller.
Propagating security between EJB containers by default will be the identity of the caller, but also can be specified configuring the bean with annotation(@RunAs("nameOfTheRole"))
Message-driven beans have only @Run As as identity, they are not allowed to use method permissions or execute under caller identity.
Methods from javax.ejb.EJBContext
-getCallerPrincipal()
-isCallerInRole("role")
To override security annotations at deployment time it can be used security elements in the deployment descriptor.
The deployer customises an EJB for a specific operational environment and deploy it into the server.
Interprets the deployment descriptor from the application assembler and the bean provider and knows the security roles and users for this system.
The deployer customises an EJB for a specific operational environment and deploy it into the server.
Interprets the deployment descriptor from the application assembler and the bean provider and knows the security roles and users for this system.
OCEJBCD (SCBCD) - 1Z0-895 - Enterprise JavaBeans Developer Certification
No comments:
Post a Comment