- EJB does not specify how actual users of the system get assigned to roles
- It simply indicates that this mapping must occur and that the EJB server must provide this ability when beans are deployed
- It also does not specify how the user information is propagated into the EJB server
- In the context of the J2EE (of which EJB is a part), there are additional API's that address security management
- These API's allow security providers to be plugged into the J2EE environment
- The J2EE also comes with a default security provider and (non-standard) API's for security management (adding/removing users)
- Within the J2EE a single security realm can span a complete application server system (web server, dynamic page generation, and EJB)
|