Join Patrick Royal for an in-depth discussion in this video Enabling security and encryption, part of Java EE Essentials: Enterprise JavaBeans.
- [Voiceover] When designing programs that will connect with remote clients, it's very important to ensure that you have control over who can access and modify your data. This is particularly important if your databases contain sensitive data like personally identifiable information. Fortunately, JavaBeans offers several options to keep your data secure and control who can access it. Security is a complex topic and an entire course could easily be made solely on that topic, so I'll focus on some of the most commonly used security features of Enterprise JavaBeans in this video.
There are two main types of security for Enterprise Beans, declarative security and programmatic security. Declarative security is the simpler method. Its structure revolves around defining user roles and setting access levels for each user method by method. Users will authentic with a username and password combination and then the Bean will check whether those users are allowed to access this specific method. It's also possible to map users to more general roles in order to save time if you have a lot of users. Programmatic security is a bit more difficult to implement, but it has the advantage of being more powerful than declarative security.
Instead of being limited to user accounts, you can use programmatic security to allow or disallow access based on IP address, time of day, or any other criteria that the method itself can check. Let's start by adding declarative security to the entity Bean that we created in Chapter two. If you skipped that Chapter, you can download it from the Exercise files for this video. The first thing we need to do is to declare which roles are available to be used. To do this we would add the annotation @DeclareRoles before the class statement.
Declaring the roles does not set any constraints on the access to this method, but it does allow us to use those roles later on for individual methods. For the purposes of this example let's set the roles as administrator and guest. Hover over @DeclareRoles and choose Add Missing Attributes. Then within the value you can add in Admin and comma and then Guest, both in quotations marks, as your roles. Now for each method we can specify which users are allowed to access it.
There are three options for the annotation. If the annotation @PermitAll is added then any user can access the method. Conversely, @DenyAll will prevent any user from accessing it. To allow some users but deny others use the @RolesAllowed annotation, and specify exactly which users are allowed to access it. As before we set the value equal and then we add in either Admin or Guest. In this case I can add in Admin and this method will only be accessible by administrators, not by guests.
When these annotations are present your server will automatically invoke username/password authentication. You can also modify the application deployment descriptor to use a different type of authentication. Now let's take a look at programmatic security. Programmatic security can actually be used to implement the exact same functions as declarative security, but it goes about it in a different way. Rather than using annotations and having the server interpret them, programmatic security is invoked within the method itself through conditionals.
For instance, the session context has methods for GetCallerPrincipal and IsCallerEnrolled which can be invoked to gain information about the client. Specific results can be added as requirements for an IF statement to function. The main advantage of this strategy is that you are implementing the security manually, so you have complete control over what kind of requirements are checked and how they are used. You can even restrict access to only a part of some method but allow access to the rest of it.
With these techniques we can ensure that our JavaBeans remains secure.
- Building your first simple JavaBeans component
- Creating simple entity beans and message-driven beans
- Defining a primary key
- Understanding the life cycle of beans
- Creating home and component interfaces
- Controlling concurrent access to JavaBeans objects
- Debugging and optimizing JavaBeans code
- Enabling security and encryption
- Creating asynchronous methods