3 Replies Latest reply on May 22, 2012 9:42 AM by RUBEN CANO

    Entity Beans & Security: best practice ?

    Wouter Zoons Newbie

      hi,

      I would like some advice on security design, more specifically when applying it on Entity Beans.

      I am currently developing a J2EE application and everything is going very well, I am now taking the time to fine-tune some features that are not related to any specific application server vendor.

      This also includes the security layer, I have form based login to authenticate using the default JAAS implementation, all my beans, both entity and session, have method level access restrictions (using the roles in ejb-jar.xml). It works.

      My question is the following: I am using EJB2.0 and my entity beans are all only exposed using local interfaces which are being accessed via the session facades (which I call the 'services'), does it make sense to apply an extra security check on these entity beans ?

      Since there already is a security-check in the session beans that call these beans it would be a little redundant... or not ?

      Am I overlooking something here ? Is it possible to gain access to the entity beans without the session facades (suppose you would gain admin access to the container and the server on which it runs) ? On the top of my head I was thinking someone could deploy mbeans that would call them directly, is this possible/realistic ?

      Is applying security checks in the entity beans for a second time overkill ? does it hit performance too much ?

      thanks for your time
      best regards

      Wouter

        • 1. Re: Entity Beans & Security: best practice ?
          Juha Lindfors Master

          > Is applying security checks in the entity beans for a
          > second time overkill ? does it hit performance too
          > much ?

          It's not much of a performance issue. More it can become a maintenance issue if you're declaring many different roles (therefore having to modify them in sync between the facade and the entity). In that case, it might make sense to declare an "InternalUser" role for the entities and have your facade use that identity with the <run-as> element.

          • 2. Re: Entity Beans & Security: best practice ?
            Wouter Zoons Newbie

            hi Juha,

            but that's not an issue... bean classes are XDoclet generated :) and the XDoclet code in turn is generated using AndroMDA (from the UML)

            so no need for manual sync. as there is no security logic in the business implementation classes

            cheers
            Wouter

            • 3. Re: Entity Beans & Security: best practice ?
              RUBEN CANO Newbie

              Hi Wouter:

               

              I know that it hasn't relation whit the subject, but I'm very frustrated and I don't know where I can find the solution to my problem.

               

              I have read that you have developped a J2EE application and it works well. I'm trying do the same (a J2EE application with AndroMDA) and I have an issue that I can't access to the facades ('services'). I have been looking for the trouble more than a week but my result is nothing.

               

              Could you send me a code example about the way that you use to do it, in other words, the way that you use to call the facade, please??? 

               

              Thanks in advace and sorry for the inconvenience.