Security and Deployment Descriptors

From sheep
Revision as of 21:35, 14 September 2021 by Martin (talk | contribs) (Created page with "References * http://java.boot.by/scea5-guide/ch08s04.html * [http://java.sun.com/xml/ns/javaee/ all schemas for j2ee] * [http://java.sun.com/xml/ns/javaee/javaee_5.xsd j2ee xs...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

References

Declarative security

  • rules and permissions
  • defined in deployment descriptors
    • EJB = ejb-jar.xml
    • WAR = web.xml
    • JAR = application-client.xml

web.xml

Can configure protocol and roles of pages that can be seen

 <web-app>
   <security-constraint>
     <web-resource-collection>
       <url-pattern>  </url-pattern>
       <http-method>GET or POST</http-method>
     </web-resource-collection>
 
     <auth-constraint>
       <role-name></role-name>
     </auth-constraint>
 
     <user-data-constraint>
       <transport-guarantee>NONE (=http) or INTEGRAL (must not be tampered with = ssl) or CONFIDENTIAL (must not be intercepted = ssl)</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
 </web-app>

ejb.xml

ejb xsd

  • Can map roles to logical names for use within beans
  • Can define roles the bean will run as
  • Can define the roles required to access methods of beans
    • can distinguish between methods overridden, interfaces - remote/local
    • in assembly descriptor
  • message driven only has security role to run as
 <ejb-jar>
   <enterprise-beans>
     <entity|session>
       <security-role-ref> < !-- only for use in security context methods within bean -- >
         <role-name>Name to use in bean</role-name>
         <role-link>actual role or logic role mapped by assembly descriptor</role-link>
       </security-role-ref>
  
       <security-identity>
         * <use-caller-identity/> < !-- empty tag run as calling user -- >
         * OR
         * <run-as>
       </security-identity>
 
 ...
 <message-driven>
   ....
   <security-identity>
     * <use-caller-identity/> < !-- empty tag run as calling user -- >
     * OR
     * <run-as>
   </security-identity>
 <message-driven>
 
 <assembly-descriptor>
   <security-role-ref> < !-- see above -- > </security-role-ref> 
   <method-permission>
     * <role-name></role-name>
     * or 
     * <unchecked/>
     <method>
       <ejb-name></ejb-name>
       <method-intf>optional - one of Home,Remote,LocalHome,Local,ServiceEndpoint</method-intf>
       <method-name></method-name>
       <method-params>optional - distinguish between overridden methods repeated with fully specified class</method-params>
     </method>