an Administrator group, whereas a company's LDAP directory has a role Department Head
that is equivalent. The mapping between the two is application server-specific—many con-
tainers can automatically make associations if the group and role names match.
6.4.3. How EJB security is implemented
Java EE security is largely based on the Java Authentication and Authorization Service
(JAAS). JAAS separates the authentication system from the Java EE application by using
a well-defined, pluggable API. The Java EE application interacts only with the JAAS API.
The application isn't responsible for the low-level details of user authentication, such as
working with SHA-256 (password encryption) or communicating with the external authen-
ticating service, such as Microsoft's Active Directory or the LDAP. The vendor plug-in
that's configured in the application container handles the details for you and can be changed
as needed. In addition to authentication, the container implements authorization in both the
web and EJB tiers using JAAS.
JAAS is designed so that both the authentication and authorization steps can be performed
at any Java EE tier, including the web and EJB tiers. Realistically, though, most Java EE ap-
plications are web-accessible and share an authentication system across tiers, if not across
the application server. JAAS fully uses this reality once a user is authenticated at any Java
EE tier. Once authenticated, the authentication context is passed through the tiers wherever
possible, instead of repeating the authentication step. The Principal object we already
mentioned represents this sharable, validated authentication context. Figure 6.5 depicts this
common Java EE security management scenario.