An enterprise has a critical dependency on its information systems for its business activities. Loss or inaccuracy of information or unauthorized access to an enterprise information system can be extremely costly. So, enterprises require that the security of their enterprise information systems should never be compromised. Applications need to provide access to enterprise information systems without creating security threats to these valuable resources.
Enterprise applications should clearly establish the requirements and architec- ture for secure enterprise information system integration environment. For exam- ple, an application should require only the level of protection needed by the enterprise: reducing the level of protection for less sensitive information or where the system is less vulnerable to threats. The cost of implementing, administering, and running a secure system should also be weighed against the security needs of an application. This trade-off, based on the security benefits and cost, is difficult to make for an enterprise application. However, this trade-off is important to make for the security architecture for enterprise information system integration.
6.9.1
Security Architecture
A security architecture for enterprise information system integration should fulfill a variety of requirements to ensure seamless support for distributed applications:
• Support a consistent end-to-end security architecture across Web, EJB, and en- terprise information system tiers for applications based on the J2EE platform. • Fit with the existing security environment and infrastructure supported by an
enterprise information system.
• Support authentication and authorization of users who are accessing enterprise information systems.
• Be transparent to application components.This includes support for enabling end-users to log on only once to the enterprise environment and access multi- ple enterprise information systems.
• Enable applications to be portable across security environments that enforce different security policies and support different mechanisms.
The relative importance of achieving these goals depends on the cost/benefit trade-off for the security requirements. The more an architecture takes care of these security requirements for the application, the easier the application develop- ment effort.
6.9.2
Application Programming Model
While developing and deploying application components, an Application Compo- nent Provider follows the security model defined for the corresponding J2EE com- ponent—EJB, JSP, or servlet. We recommend the following application programming model for all types of components:
• An Application Component Provider should specify security requirements for an application declaratively in the deployment descriptor. The security re- quirements include security roles, method permissions, and authentication ap- proach for enterprise information system signon.
• A security-aware Application Component Provider can use a simple program- matic interface to manage security at an application level. This programmatic interface allows the Application Component Provider to make access control decisions based on the security context (principal, role) associated with the caller of a method and to do programmatic signon to an enterprise information system (described in Section 6.9.3.2 on page 160).
• Other development roles—J2EE Server Provider, Deployer, System Adminis- trator—should satisfy an application’s security requirements (as specified in the deployment descriptor) in the operational environment.
6.9.3
Resource Signon
From a security perspective, the mechanism for getting a connection to a resource is referred to as resource signon. A user requests a connection to be established under its security context. This security context includes various attributes, such as role, access privileges, and authorization level for the user. All application-level invoca- tions to the database using this connection are then provided through the security context associated with the connection.
SECURITY 159
If the resource signon mechanism involves authentication of the user, then an Application Component Provider has the following two choices:
• Allow the Deployer to set up the resource signon information. For example, the Deployer sets the user name and password for establishing the database con- nection. The container then takes the responsibility of managing the database signon.
• Implement sign on to the database from the component code by providing ex- plicit security information for the user requesting the connection.
We recommend that a component let the container manage resource signon. This takes the burden of managing security information for the signon off of the Application Component Provider. It also enables J2EE servers to provide addi- tional useful security services, such as single signon across multiple enterprise information systems and principal mapping across security domains.
Container-managed resource signon enables the Application Component Pro- vider to avoid hard-coding security details in the component code. A component with hard-coded security logic is less portable because it is difficult to deploy on containers with different security policies and mechanisms. The following sec- tions illustrate how to sign on using both approaches.
6.9.3.1 Container-Managed Signon
In this example, the Application Component Provider delegates the responsibility of setting up and managing resource signon to the container. The Deployer sets up the resource signon so that the user account for connecting to the database is always
eStoreUser. The Deployer also configures the user identification and authentication information—user name and password—that is needed to authenticateeStoreUser
to the database.
As shown in Code Example 6.2, the component code invokes the connection request method on the javax.sql.DataSource with no security parameters. The component instance relies on the container to do the signon to the database using the security information configured by the Deployer. Code Example 6.3 contains the corresponding connection factory reference deployment descriptor entry, where theres-auth element specifies that signon is performed by the container.
// Obtain the initial JNDI context Context initctx = new InitialContext();
// Perform JNDI lookup to obtain connection factory
javax.sql.DataSource ds = (javax.sql.DataSource)initctx.lookup( "java:comp/env/jdbc/MyDatabase");
// Invoke factory to obtain a connection. The security // information is not given, and therefore it will be // configured by the Deployer.
java.sql.Connection cx = ds.getConnection();
Code Example 6.2 Container-Managed Signon
<resource-ref> <description>description</description> <res-ref-name>jdbc/MyDatabase</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref>
Code Example 6.3 Connection Factory Reference Element
6.9.3.2 Application-Managed Signon
In this example, the Application Component Provider performs a programmatic signon to the database. The component passes explicit security information (user name, password) to the connection request method of thejavax.sql.DataSource.
// Obtain the initial JNDI context Context initctx = new InitialContext();
// Perform JNDI lookup to obtain factory
javax.sql.DataSource ds = (javax.sql.DataSource)initctx.lookup( "java:comp/env/jdbc/MyDatabase");
// Get connection passing in the security information java.sql.Connection cx = ds.getConnection("eStoreUser",
"password");
J2EE CONNECTOR ARCHITECTURE 161
6.9.3.3 Authorization Model
An Application Component Provider relies on the container and enterprise informa- tion system for authorizing access to enterprise information system data and func- tions. The Application Component Provider specifies security requirements for application components declaratively in a deployment descriptor. A set of security roles and method permissions can be used to authorize access to methods on a com- ponent. For example, an Application Component Provider declaratively specifies thePurchaseManagerrole as the only security role that is granted permission to call thepurchasemethod on aPurchaseOrderenterprise bean. Thepurchasemethod in turn drives its execution through an ERP Logistics application by issuing a purchase requisition. So in effect, this application has authorized only end-users with thePur- chaseManagerrole to do a purchase requisition. This is the recommended authoriza- tion model.
An Application Component Provider can also programmatically control access to enterprise information system data and functions based on the principal or role associated with the client who initiated the operation. For example, the EJB specification allows component code to invoke getCallerPrincipal and
isCallerInRole to get the caller’s security context. An Application Component Provider can use these two methods to perform security checks that cannot be expressed declaratively in the deployment descriptor.
An application can also rely on an enterprise information system to do access control based on the security context under which a connection to the enterprise information system has been established. For example, if all users of an applica- tion connect to the database as dbUser, then a database administrator can set explicit permissions for dbUser in the database security domain. The database administrator can denydbUserpermission to execute certain stored procedures or to access certain tables.