May 25, 2011, 12:12 p.m.
posted by superj
Delegation is the process of forwarding a principal's credentials along with associated tasks that the principal originated or is having performed on its behalf. The EJB specification does not define how delegation is to be handled, as it is tied to a specific container implementation. Other than the run-as deployment descriptor element, delegation is left as a container tools issue. If Deployers and/or System Administrators enable delegation, they must configure their delegation policies in order for the EJB container to comply with the security policies of the enterprise.
When a Deployer configures an enterprise bean for a container, the container tools provide any necessary interfaces to configure delegation. One notable problem with delegation is that the getCallerPrincipal() method in the EJBContext interface is ill defined. In general, the Enterprise Bean Provider will not know the delegation configuration in the deployment environment. Also, the EJB specification does not indicate who the caller principal really is; it could be the client initiating the original call to the EJB container, or it could be the immediate caller to an enterprise bean instance. If delegation is enabled, the result of getCallerPrincipal() may not be the principal that the Enterprise Bean Provider expected when the enterprise bean was being written.
Along with authentication, it is the responsibility of the EJB container implementation to enforce the policies defined and supported within the environment. The EJB container can use the JAAS technology to implement delegation policies. As described in Section 9.3.1 on page 314, the method doAs() in class javax.security.auth.Subject can be used to execute code under the identity of the specified Principal. As this is not yet a part of the EJB specification, an Enterprise Bean Provider cannot yet expect the same behavior when the enterprise beans are deployed in different EJB containers, as these may exhibit different authentication mechanisms and delegation support.