October 26 31, 2003
CSS 2003 Home
Agenda by Speaker
Agenda by Topic
How to Register
How to Contact Us
Sorted by Speaker
Sorted by Topic Title
Traveling to Keystone
Maps to Keystone
CSS 2002 Feedback
Email Discussion Group
Dan Johnsson Frobozz AB, Sweden
One popular myth in J2EE is that stateful session EJBs (SF SB) are troublesome, and should be avoided. It is not uncommon that architect groups dictate that SF SBs should not be used at all. These decisions are often more based on rumours than on rational well-informed judgements. The sad truth is that the alternative solutions are often worse then SF SBs. The results are architectures which have lost their foundation in the business domain, often resulting in lower extensibility, reliability and more often than not containing security breaches.
In this presentation, we examine SF SBs in depth. We see in what kind of environment they constitute no problem, and under what circumstances they start consuming a lot of resources. For the class of applications where SF SBs become troublesome, we investigate alternative solutions (cookies, http-sessions, and databases) and compare them with regard to performance, reliability, extensibility and security.
Even practising architects sometimes have only a vague idea of how to use the J2EE standard security model. It is not uncommon to see architectures that reinvent and implement similar security functionality instead of using the existing, built-in mechanisms. In this presentation we explain what functionality you get from the J2EE security model and how to configure it. Especially we look at authentication (Web-based and JAAS client-app), role-based authorisation and resource control.
In authentication we study the different ways containers can establish a client identity. For the Web-container we see when and why we would use BASIC HTTP-authentication, FORM-based authentication, or a CLIENT-CERTificate. For the application container we see how we have more liberty to use a JAAS LoginModule to plug in our own authentication, e.g. smart-cards. In authorisation we see how the EJB role-based security system keeps the focus on the business domain, and how this comes to its best in a service based architecture. For resource control we investigate the options for configuring access control: static configuration, support for programmatic control and principal/credential mappings.
We also study the support for integrating the J2EE security mechanisms against existing security systems (such as LDAP-directory containing user and authorisation information). This discussion will revolve around de facto (non-standardised) support that is commonly spread among vendors and initiatives for standardising it, such as the "Java Authentication Service Provider Interface for Containers" (JSR 196) and "Java Authorization Contract for Containers" (JSR 115). This will also work as our looking-glass into the future to see in which direction security standards will evolve.
* Return to Top *
© 1997 2003 Kovsky Conference Productions Inc. All rights reserved.