EJB containers provide fairly rich security capabilities for EJB components that they manage. The following sections discuss transport-level security, authentication, declarative and programmatic authorization, identity propagation, and security best practices for the EJB tier. The material presented here complements the coverage provided in Chapter 6. We’d recommend reviewing the relevant security-related material in that chapter first, then returning to this section for further details.
As discussed in Chapter 6, remote EJB clients can use either RMI/JRMP or CORBA/IIOP protocols to communicate over the network with EJB components. If you need to secure the communications between clients and the EJB container, IIOP traffic can be tunneled over SSL using various IIOP/SSL tunneling protocols. But support for SSL-enabled IIOP is server-specific, so you’ll have to ensure that both the EJB container and the client environments support the same secure IIOP protocols.
Using secure JRMP connections has been problematic in the past because of a lack of standard implementations of secure JRMP sockets in the Java platform. JDK 1.5 introduced a new standard SSL-enabled RMI socket implementation, but it will likely take some time for these to make their way into EJB container implementations as an option for deployed components.
In either case, configuring EJB containers to use secure transport communications is a vendor-specific detail. ...