Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

This page discusses - Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

Ads

Tutorials   
Chapter 5. Client View of an Entity Identify correct and incorrect statements about the Application Assembler's responsibilities, including the use of deployment descriptor elements related to transactions and the identifica Given a list of responsibilities, identify whose which are the Container's with respect to transactions, including the handling of getRollbackOnly, setRollbackOnly, getUserTransacti EJB Transactional Attributes Chapter 11. Transactions Given a list of scenarios, identify which will result in an ejbRemove method not being called on a bean instance. Given a list of responsibilities related to session beans, identify those which are the responsibility of the session bean provider and those which are the responsibility of the EJB contai Given a list of methods for a stateful or stateless session bean class, define which of the following operations can be performed from each of those methods: SessionContext interface metho Chapter 4. Session Bean Life Cycle Identify correct and incorrect statements or examples about the client view of a session bean's local and remote component interfaces. Identify the interface and method for each of the following: retrieve the session bean's remote home interface, retrieve the session bean's local component interface, determine if the sessio Match the correct description about purpose and function to which session bean type they apply: stateless, stateful, or both. Chapter 14. Security Management Given a security-related deployment descriptor tag, identify correct and incorrect statements and code related to that tag. Given a list of responsibilities, identify which belong to the deployer, bean provider, application assembler, container provider, system administrator, or any combination. From a list of responsibilities, identify which belong to the application assembler, bean provider, deployer, container provider, or system administrator. Part I. Exam Objectives Preface Identify the interfaces and methods a JMS message-driven bean must implement. Identify the use and behavior of the MessageDrivenContext interface methods. SCBCD Study Guide Given a list of responsibilities related to exceptions, identify those which are the bean provider's, and those which are the responsibility of the container provider. Be prepared to recog Given a particular method condition, identify the following: whether an exception will be thrown, the type of exception thrown, the container's action, and the client's view. Identify correct and incorrect statements or examples about application exceptions and system exceptions in entity beans, session beans, and message-driven beans. Identify correct and incorrect statements or examples about the client's view of exceptions received from an enterprise bean invocation. Identify correct and incorrect statements or examples about an entity bean's primary key and object identity. Identify the use, syntax, and behavior of, the following entity bean home method types, for Container-Managed Persistence (CMP); finder methods, create methods, remove methods, and home me Chapter 8. Entity Beans Chapter 13. Enterprise Bean Environment Chapter 2. Client View of a Session Bean Match EJB roles with the corresponding description of the role's responsibilities, where the description may include deployment descriptor information. Given a list, identify which are requirements for an EJB-jar file. Identify correct and incorrect statements or examples about the client view of a entity bean's remote component interface (EJBObject). Identify correct and incorrect conditional expressions, BETWEEN expressions, IN expressions, LIKE expressions, and comparison expressions. Identify correct and incorrect statements or examples about the purpose and use of EJB QL. Chapter 9. EJB-QL Identify correct and incorrect statements or examples about EJB programming restrictions. Chapter 1. EJB Overview Identify EJB 2.0 container requirements. Identify correct and incorrect statements or examples about the client view of an entity bean's local component interface (EJBLocalObject).

Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

The javax.ejb.EJBContext interface provides TWO methods that allow the Bean Provider to access security information about the enterprise bean's caller:

package javax.ejb;

public interface EJBContext {

	// The following two methods allow the EJB class
	// to access security information:

	// Returns the principal that represents the CALLER of the
	// enterprise bean, not the principal that corresponds to the 
	// run-as security identity for the bean, if any.
	java.security.Principal getCallerPrincipal();

	// Tests the principal that represents the CALLER of the
	// enterprise bean, not the principal that corresponds
	// to the run-as security identity for the bean, if any.
	boolean isCallerInRole(String roleName);
	...	
}
					

The Bean Provider can invoke the getCallerPrincipal and isCallerInRole methods only in the enterprise bean's business methods for which the Container has a client SECURITY CONTEXT.

The purpose of the getCallerPrincipal() method is to allow the enterprise bean methods to obtain the current caller principal's name. The methods might, for example, use the name as a key to information in a database.

An enterprise bean can invoke the getCallerPrincipal() method to obtain a java.security.Principal interface representing the current caller. The enterprise bean can then obtain the distinguished name of the caller principal using the getName() method of the java.security.Principal interface.

public class EmployeeServiceBean implements SessionBean {
	EJBContext ejbContext;

	public void changePhoneNumber(...) {
		...
		// Obtain the default initial JNDI context.
		Context initCtx = new InitialContext();

		// Look up the remote home interface of the EmployeeRecord
		// enterprise bean in the environment.
		Object result = initCtx.lookup("java:comp/env/ejb/EmplRecord");

		// Convert the result to the proper type.
		EmployeeRecordHome emplRecordHome = (EmployeeRecordHome)
			javax.rmi.PortableRemoteObject.narrow(result,
			EmployeeRecordHome.class);

		// obtain the caller principal.
		callerPrincipal = ejbContext.getCallerPrincipal();

		// obtain the caller principal's name.
		callerKey = callerPrincipal.getName();

		// use callerKey as primary key to EmployeeRecord finder
		EmployeeRecord myEmployeeRecord =
			emplRecordHome.findByPrimaryKey(callerKey);

		// update phone number
		myEmployeeRecord.changePhoneNumber(...);
	...
	}
}
					

The enterprise bean code uses the isCallerInRole(String roleName) method to test whether the current caller has been assigned to a given security role. Security roles are defined by the Application Assembler in the deployment descriptor, and are assigned to principals or principal groups that exist in the operational environment by the Deployer.

public class PayrollBean ... {
	EntityContext ejbContext;

	public void updateEmployeeInfo(EmplInfo info) {

		oldInfo = ... // read from database;

		// The salary field can be changed only by callers
		// who have the security role "payroll"
		if (info.salary != oldInfo.salary &&
		!ejbContext.isCallerInRole("payroll")) {
			throw new SecurityException(...);
		}
		...
	}
...
}

					

The Bean Provider is responsible for DECLARING in the security-role-ref elements of the deployment descriptor all the security role names used in the enterprise bean code. The ROLE NAME name must be the security role name that is used as a parameter to the isCallerInRole(String roleName) method.

<entity>
	<ejb-name>AardvarkPayroll</ejb-name>
	<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class>
	...
	<security-role-ref>
		<description>
			This security role should be assigned to the
			employees of the payroll department who are
			allowed to update employees' salaries.
		</description>
		<role-name>payroll</role-name>
	</security-role-ref>
	...
</entity>

					

Full description of security-role-ref element is:

<!--
The security-role-ref element contains the declaration of a security
role reference in the enterprise bean's code. The declaration consists
of an optional description, the security role name used in the
code, and an optional link to a defined security role.
The value of the role-name element must be the String used as the
parameter to the EJBContext.isCallerInRole(String roleName) method.
The value of the role-link element must be the name of one of the
security roles defined in the security-role elements.
Used in: entity and session
-->

<!ELEMENT security-role-ref (description?, role-name, role-link?)>

					

Advertisements

Share on Google+Share on Google+

Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

Posted on: April 18, 2011 If you enjoyed this post then why not add us on Google+? Add us to your Circles

Advertisements

 
Comments:0

Ads

 

Ads