Security for distributed systems falls into two problem domains: business component security and network security. Proper business component security prevents users from doing things they should not be able to do to the shared business objects. Proper network security, on the other hand, prevents snoopers from intercepting your network traffic and seeing things they should not.
Component security involves authenticating the people accessing your system and validating their access requests against a set of established privileges. Distributed computing, especially in a web environment, introduces a few quirks that make component security especially troublesome. Fortunately for EJB users, security is handled for you by your EJB container at every level. You just specify security policies at deployment time.
Today applications tend to rely on a weak authentication method based on a user ID/password combination. This authentication method requires you to store a list of users and their passwords in the system. When a client presents a user ID and password, and the specified password matches the password you have in your database for that user ID, your system is considered to have authenticated that user. In other words, your system views the fact that the correct password was provided as proof that the user is who that user claims to be.
Upon initial authentication of a user, your system needs a way to keep track of that user, i.e., to keep ...