Upon logging in to the secured system, clients present their credentials, either user name and password, or digital certificates. Once the authentication process is complete, the user’s distinguished name (DN) information is stored in a PortalSession object and is available to any component within the application server that has role-based access restrictions.
The PortalSession object is active for a configurable “time-to-live” duration. If the user does not log out of the portal, and if the connection remains active without exceeding the time-to-live parameter, the PortalSession object remains available to all secured components. The default time-to-live duration is one hour.
Since the PortalSession object persists throughout the life of the connection, users do not have to submit credentials when accessing server applications, or when the server fails over to another configured server in the system. The supporting server assumes the persistent PortalSession object and the session continues.
The transparent nature of the PortalSession object allows users to access components without detecting your secured assets. Further, through EJBs, the system can perform specific and targeted access restrictions on assets. For example, you can configure an EJB to strip out certain restricted elements of a query result and return only the results of the query that are available to the user as specified by the user’s roles.
This code demonstrates how to do this:
import javax.ejb.*;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import com.sybase.ep.security.sessionsvcs.*;
public class TestComponentBean implements SessionBean {
// the various normal session bean methods must be defined...
// This component method will return different results
// depending on the user's access to the asset
// "a1=PrivilegedAsset,o=Sybase,c=us"
public int dynamicQueryMethod() {
try {
// retrieve the user's portalsession object
InitialContext ctx = new InitialContext();
PortalSessionHome pshome = (PortalSessionHome)PortableRemoteObject.narrow(ctx.lookup(
"com.sybase.ep.security.sessionsvcs/PortalSession"),
PortalSessionHome.class);
PortalSession callerSession = pshome.findByCurrentSession();
// determine whether or not they are privileged
boolean privilegedUser = false;
String barrierAsset = "a1=PrivilegedAsset,o=Sybase,c=us";
try {
callerSession.checkAccess(barrierAsset,
PortalSession.READ_ACCESS);
// if the checkAccess succeeds, the user is privileged
privilegedUser = true;
} catch(com.sybase.ep.security.exceptions.SecurityException e) {
// if a securityexception is thrown, the user is not privileged
}
// now build the query and return the results
String query;
if(privilegedUser) {
// the privileged user has full access
query = "SELECT COUNT(*) FROM UserTable";
} else {
// the non-privileged user returns a limited number of rows
query = "SELECT COUNT(*) FROM UserTable WHERE Privileged = 0";
}
int retval = executeQuery(query);
} catch(FinderException e) {
throw new EJBException("Caller is not authenticated
to the system");
} catch(Exception e) {
// we're not expecting any other exceptions
throw new EJBException(e); }
}
private int executeQuery(String query) {
// get connection cache, execute query and return the result as an integer } }
This example illustrates how a Java client connects to EAServer via the InitialContextFactory using Enterprise Security credentials:
Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, "com.sybase.ejb.InitialContextFactory"); // For certificate authentication, different properties will be set p.put(Context.PROVIDER_URL, "iiop://[portalserver]:9000"); p.put(Context.SECURITY_PRINCIPAL, "epusername"); p.put(Context.SECURITY_CREDENTIALS, "eppassword"); InitialContext ctx = new InitialContext(p);
