Java Reference
In-Depth Information
Now that we've covered how authentication is performed, let's look at authorization. We'll
start by examining declarative security.
6.4.4. EJB declarative security
Declarative security is somewhat analogous to CMTs. You tell the container what you ex-
pect through annotation or configuration files, and the container takes care of the heavy
lifting. Conveniently, both the annotations and/or configuration files can apply to either an
entire class or an individual method. The container looks at the converts of the server con-
tainer's role into an application group and then checks against the list of valid roles to de-
termine whether a particular method on a bean can be invoked. If it can't be invoked, then
an exception is thrown.
To put this discussion of security into context, let's look at a security problem in Ac-
tionBazaar. Customer service representatives (CSRs) are allowed to cancel a user's bid un-
der certain circumstances—for example, if a seller discloses something in an answer to a
bidder that should have been mentioned in the listing. But in the original implementation of
the cancel bid operation, there was no check to ensure that the action was being performed
by a CSR.
A clever hacker analyzes the logical naming conventions used in the forms and links. After
some trial and error, he finally bangs out some Perl script that constructs a
POST
request
that will cancel a bid. The hacker then uses his utility to engage in “shell bidding” in an
attempt to incite users to overpay for an item. The hacker posts items for sale and uses a
friend's account to incite a bidding war. Once the genuine bidders stop bidding, the hacker
removes the fake bid using his knowledge of HTML post requests. No one has any clue
that this is happening.
After a while, customer service discovers the scheme as a result of questions from observ-
ant bidders who are surprised that they've won a bid after being outbid. Protections are put
in place using EJB security so that only CSRs can cancel a bid. An implementation using
declarative security is shown in the following listing.
