Introduction

This article extends Part 8 of the series, where you use Enterprise Patterns to quickly build Java 2 Platform, Enterprise Edition (J2EE) applications using Rational Software Architect. In this article you'll use two J2EE Security Patterns to configure Enterprise JavaBeans (EJB) security policies and an event pattern to create and submit events. The results are updated deployment descriptors for your J2EE enterprise application and Java code that helps you get started in using the Common Base Event (CBE) standard and the Common Event Infrastructure (CEI).

Back to top

Security and Event Patterns

The Security and Event Patterns are packaged as a reusable asset (RAS) that can be imported and installed into Rational Software Architect. In the asset, there are two configuration patterns and one code-producing pattern.

The security configuration patterns are:

Method Level Authorization

Creates J2EE security roles and specifies method permissions for those roles

Run As Identity

Configures declarative identity delegation policies for an EJB; the identity an EJB should run as when it invokes another J2EE component

The code-producing application pattern is:

Event

The Event pattern generates code that you can easily customize to create CBE events and submit them using CEI.

Installing Security and Event Patterns

The Security and Event patterns require Rational Software Architect V6.0.1. The patterns are packaged into a single RAS asset called Security Patterns. Installing the asset requires connecting to the RAS repository using the developerWorks repository wizard. Select File> New > Other. You may need to select the Show All Wizards check box. Expand RAS > RAS Repository Connection. Select DeveloperWorks Repository and Next. You should see a dialog that looks similar to Figure 1. Select Finish.

Once the connection is successful, open the Asset Explorer view in Rational Software Architect using Window > Show View > Other. Asset Explorer is inside the RAS folder. Expand IBM Rational developerWorks and design_j2ee, and you should see the Enterprise Patterns and Security Patterns assets, as shown in Figure 2.

The Event Pattern depends on the Enterprise Patterns, so make sure you install the Enterprise Patterns asset first if it is not already in your workspace. Install by right-clicking Enterprise Patterns and selecting Import. After the Enterprise Patterns asset has been imported successfully, repeat the same steps to import the Security Patterns asset.

After you've successfully imported the assets and restarted Rational Software Architect, the patterns appear in the Pattern Explorer view, as shown in Figure 3. The Event Pattern is under the Enterprise Patterns group, and the Method Level Authorization and Run As Identity patterns are inside the Security group, which in turn is inside the Enterprise Patterns group. Notice that the hierarchy of patterns as displayed in the Pattern Explorer need not be the same as the hierarchy of assets displayed in the Asset Explorer.

Before continuing, it is helpful to be aware of the detailed online help provided by the Security and Event patterns. To open the online help, select Help > Help Contents. After the Help window is displayed, in the Contents tab sheet on the left panel navigate to the help documentation provided with the patterns by selecting Rational Software Development Platform > Rational Software Architect > Designing a software application using models > Capturing application architecture in a design model > Refining models > Applying patterns > Pattern specific documentation.

You should now see a list of topics similar to what is shown in Figure 4. The event, methodlevel, and runasidentity folders contain the documentation for the three patterns. The Description file of each folder contains the most detailed information.

Back to top

Relationship to Enterprise Patterns and previous scenarios

This article follows the ODFinance theme introduced in earlier articles in the series and used by the Enterprise Patterns in Part 8. In this article, you learn how to apply the Security and Event patterns to a Session Facade service and entity beans created by the Session Facade pattern. To apply this pattern, see the Applying the Session Facade pattern section in Part 8.

At this point you should have successfully created a UML model project, created the customer and account entity beans in it, and applied the Session Facade pattern (as described in Part 8.) After all the steps in the Applying the Session Facade pattern section are completed, you should have a UML diagram that matches Figure 5.

Back to top

Applying the Method Level Authorization pattern

With the AccountingSessionFacade class created after you applied the Session Facade pattern, let's assume you want to set an authorization policy on the AccountingSessionFacade to indicate that only a caller who plays the CustomerServiceRepresentative role will be authorized to invoke operations on the facade. We'll also assume you want to secure operations on the Customer class by allowing only callers who play the CustomerAccountRepositoryAdministrator role to invoke operations on the Customer class. You can specify these security policies by applying the Method Level Authorization pattern on the AccountingSessionFacade and the Customer classes.

First you need to create the authorization policy that only allows a caller who plays the CustomerServiceRepresentative role to invoke operations on the AccountingSessionFacade. In the Pattern Explorer navigate to the Method Level Authorization pattern inside the Enterprise Patterns > Security group. Drag and drop the Method Level Authorization pattern onto your UML editor, as shown in Figure 6. (Only a portion of the UML editor is shown.)

Next, you'll provide values to the Method Level Authorization pattern instance that you just created by dragging and dropping the AccountingSessionFacade onto the EJB parameter, and specifying the CustomerServiceRepresentative role in the Role parameter. You can either type the CustomerServiceRepresentative role name into the Role parameter, or you can hover over it and select the Actor icon to create a UML actor and then modify the actor name to CustomerServiceRepresentative. Whichever way you choose, a UML actor is created in the UML model, as shown in Figure 7.

Figure 8 shows the completed Method Level Authorization pattern instance.

Repeat the same tasks for the Customer class to specify the authorization policy that only a CustomerAccountRepositoryAdministrator can invoke operations on the Customer class. After you've completed the tasks, your UML diagram should look like Figure 9. Only the relevant portion of the UML diagram is shown.

Back to top

Applying the Run As Identity pattern

You have created authorization policies for the AccountingSessionFacade and Customer classes. Because the AccountingSessionFacade maintains Customer and the operations on Customer can only be invoked by a caller who plays the CustomerAccountRepositoryAdministrator role, you need to set the run-as identity on AccountingSessionFacade so that when it invokes Customer, the AccountingSessionFacade runs as an identity assigned to the CustomerAccountRepositoryAdministrator role. To set the run-as identity for AccountingSessionFacade, you apply the Run As Identity pattern.

In the Pattern Explorer, navigate to the Run As Identity pattern under the Enterprise Patterns > Security group. Drag and drop the Run As Identity pattern onto the UML editor. An instance of the Run As Identity pattern is created. Complete the parameters for the pattern as follows:

1. Drag and drop the AccountingSessionFacade class onto the EJB parameter. This tells the pattern instance that the run-as identity applies to the AccountingSessionFacade.
2. Hover over the Run As Mode parameter, select the little pop-up, and double-click on SPECIFIC_ROLE_IDENTITY. This tells the pattern instance that the AccountingSessionFacade will run as the identity associated with a specific role.
3. Using the same technique you used to specify a value for the Role parameter of the Method Level Authorization pattern, specify a value for the Role of this Run As Identity pattern by either hovering over the parameter, selecting the Actor icon that pops up and rename the actor to CustomerAccountRepositoryAdministrator, or directly type the CustomerAccountRepositoryAdministrator role name into the Role parameter.
4. Leave the Operation parameter blank. This tells the pattern instance that all operations will use the same run-as identity when they invoke other J2EE components.

The completed Run As Identity pattern instance should look Figure 10. (Only part of the entire UML diagram is shown.)

Back to top

Applying the Event Pattern

Finally, let's assume you want events to be created and submitted when a customer is created. You can accomplish this by applying the Event Pattern to the AccountingSessionFacade.

Before you apply the Event Pattern, you need to configure it with the event factories that you want the pattern to use. The event factories assist you in creating CBE events at run time. You also need to configure the Event Pattern with the hostname and port number of the CEI server to which you want to send events.

To configure the Event Pattern, select Window > Preferences. Expand Modeling, then Patterns, and select Event Pattern. The Event Pattern Preferences should be displayed, as shown in Figure 11.

Select Add, and the Event Factory Class dialog should display, as shown in Figure 12.

In your workspace, you should have either the Java archive (JAR) files or the source projects of the event factories you need to use. In the Select an event factory class field, enter the name of the event factory interface you want to use. The Matching types: field displays all the interfaces and classes that match what you enter. Select the event factory interface you want, then select OK.

In our example, we'll use an event factory called SecondSampleEventFactory. A Project Interchange file (named i-odoebp21code.zip) containing the source for SecondSampleEventFactory is available at Download. Import the Project Interchange file so that the SecondSampleEventFactory project is in your workspace. Then, assume you have entered the value SecondSampleEventFactory into the Select an event factory class field. You should be able to select it from the Matching types: field. Once you select OK, you will be returned back to the Event Pattern Preferences panel. Provide values for the Host name and Port number of the CEI server you want to send events to. The completed preferences page should look similar to Figure 13, but you'll have your own values in the host and port fields.

As soon as the Event Pattern preferences are set, you are ready to apply the Event Pattern. In the Pattern Explorer view, navigate to the Event Pattern under the Enterprise Patterns group. Drag and drop the Event Pattern onto the UML editor to create an instance of the pattern.

When you instantiate the pattern, the names of the events supported by your configured event factories (in the Preferences panel) are created as an enumeration inside the UML project that contains the model in your UML editor. You can see the enumeration inside the UML project in the Model Explorer (make sure you are in the Modeling perspective). In this example, since we have configured the Event Pattern preferences page with the SecondSampleEventFactory, an enumeration consisting of the event names (CREATE_CUSTOMER and UPDATE_CUSTOMER) that are supported by the SecondSampleEventFactory will be created, as shown in Figure 14.

Proceed to complete the parameters of the Event Pattern instance you just created. Drag and drop the AccountingSessionFacade onto the Class parameter. This tells the pattern instance that the Event pattern is to be applied to the AccountingSessionFacade class. Drag and drop the createCustomer() operation from the AccountingSessionFacade class onto the Operation parameter of the pattern instance. As you drop the operation, the <<Event>> keyword is added to the operation's signature in the AccountingSessionFacade class. Finally, drag and drop the CREATE_CUSTOMER enumeration value directly from the Model Explorer to the Events parameter. These actions tell the pattern instance that the createCustomer() operation should create and send the CREATE_CUSTOMER CBE event.

Figure 15 shows all the completed pattern instances. The Event Pattern instance is in the top right corner.

With all the pattern instances completed, you are now ready to run the UML to EJB transformation.

Back to top

Run UML to EJB transform

To run the UML to EJB transformation, from the Model Explorer in the Modeling perspective right-click the UML project. (Be sure you click the project and not the .emx file.) Select the menu items as shown in Figure 16.

In the Run Transformation dialog that appears, provide a name for the transformation and select Create new Target Container. Enter a name for the EJB project. Select Show Advanced if it exists, and more options will display. (If the Show Advanced button does not appear, the advanced options are already displayed.) In the advanced options, ensure the EJB version is 2.1, Target server is WebSphere Process Server 6.0, and select Add support for annotated Java classes. You can uncheck Create an EJB Client Jar Project. Figure 17 shows the completed dialog.

Select Finish and you will be returned to the Run This Transformation dialog. Select Apply > Run.

After the transformation has completed running, one EJB project and one EAR project will be created. In this example, the J2EESampleOut and J2EESampleOutEAR projects are created. The best way to see the generated code and the deployment descriptors for these projects is from the J2EE perspective. Switch to the J2EE perspective, and from the Project Explorer view expand the EJB Projects folder and expand the EJB project that was created. Double-click its deployment descriptor and examine the Assembly tab sheet. You should see that two security roles and method permissions associated with them are added, as shown in Figure 18.

Switch to the Access tab sheet and, as shown in Figure 19, you should see the following in the Security Identity (Bean Level) section.

Security Identity(Server Identity) is incorrectly displayed, even though the right side also displays a role name. (This is a tooling problem.) The AccountingSessionFacade is going to invoke another J2EE component with an identity assigned with the CustomerAccountRepositoryAdministrator role, not with the server identity.

If you open the enterprise archive (EAR) project associated with this EJB project under the Enterprise Applications folder and examine the EAR project's deployment descriptor, you'll also see that the same security roles have been added in its Security tab sheet.

The created EJB project has compile errors due to unresolved imports associated with the SecondSampleEventFactory. To fix the compile errors, add the event factory JAR file to the Java Build Path of the EJB project. The project is also dependent on the events-client.jar file. By default, the project is created to expect the events-client.jar to be found in c:\Program Files\IBM\Rational\SDP\6.0\runtimes\bi_v6\CEI\client, which is a directory within WebSphere Process Server V6.0 runtime.

If you do not have a WebSphere Process Server runtime installed on your workstation, you can get the JAR file from another installation of WebSphere Process Server V6.0 elsewhere and set up the Java Build Path of the EJB project to point to the location on your workstation where you put a copy of the events-client.jar file. The code created by the Event pattern requires WebSphere Process Server 6.0 to run because it invokes the CBE and CEI APIs, and CEI is currently only available from WebSphere Process Server.

Finally, you can examine the Java code generated for the Event pattern in the ejbModule folder of the EJB project. The details of the generated code can be found in the online help of the Event pattern described earlier.

Back to top

Summary

You examined two J2EE Security patterns in this article that you can use to model EJB method level authorization and run-as identity policies. With these patterns you can specify security policies while following a model-driven development approach for your application modeling. You are also introduced an Event pattern that lets you get started quickly to enable your business services to generate CBEs. The events are sent to the CEI that is currently available in WebSphere Process Server V6.0. The events may subsequently be consumed by other services or persisted into a repository depending on the configuration of CEI within Process Server.

Although not demonstrated explicitly in this article, you can develop your own security patterns and transforms using the Rational Software Architect pattern and transform frameworks. The code generated by the Event pattern in this article follows the documentation on Event Factory as provided by the WebSphere Process Server. You can further enhance the Event pattern to leverage some of the latest best practices that are documented in the recent paper Best Practices for Common Base Event and Common Event Infrastructure.

Back to top

Download

Information about download methods

Resources

Learn

• Series overview: Link to more articles in this series and an overview of this project, which demonstrates to business analysts, solution designers, and architects how to design and implement on demand solutions using the thirteen capabilities of the IBM On Demand Operating Environment.
  
  
• "Part 8: Build J2EE applications with IBM Rational Software Architect Enterprise Patterns" (developerWorks, May 2005): Get instructions about how to install and apply the Enterprise Patterns, including the Session Facade pattern referenced in this article.
  
  
• The "Securing enterprise bean applications" section of the WebSphere Application Server V6.0 Information Center explains EJB security, including method level authorization and run-as identity.
  
  
• The "Using the Common Event Infrastructure" section of the WebSphere Business Process Management Version 6.0 Information Center contains more information about how to configure CEI in Process Server and has links to the Eclipse Test and Performance Tools Platform (TPTP) project where you can find information on CBE.
  
  
• Read the white paper " Best Practices for Common Base Event and Common Event Infrastructure" for details about CBE and CEI best practices.
  
  
• Visit the developerWorks Rational Pattern Solutions zone to expand your patterns skills.
  
  
• Rational Software Architect: Learn more about the product.
  
  

Get products and technologies

• Download a free trial version of WebSphere Application Server Version 6.0, a mature product with proven success executing enterprise applications. (WebSphere Process Server is built on top of WebSphere Application Server Network Deployment.)
  
  
• Get more information about WebSphere Process Server.
  
  
• Build your next development project with IBM trial software, available for download directly from developerWorks.
  
  

Discuss

• developerWorks blogs: Get involved in the developerWorks community.
  
  

About the authors

Janette Wong is a Senior Technical Staff Member at IBM. She leads patterns work in the BPM area. Janette led the initial inputs from the field, contributed to refining the pattern ideas and documentation, and the subdequent promotion of this patterns work. You can contact Janette at janette@ca.ibm.com.

Murray Beaton is a senior software engineer on the Business Process Management Architecture and Development team. Murray is also responsible for the creation of patterns and transforms for model-driven, on demand software development. Contact Murray at beatonm@ca.ibm.com.

Christina Lau is a senior technical staff member at IBM. Christina is chief architect for Business Process Management and Architecture and Development team. She is also a member of the IBM Academy of Technology. Contact Christina at clau@ca.ibm.com.

Dr. Yi-Hsiu Wei is a Senior Software Engineer at IBM. He is a member of the Software Group Strategy, Community team and is currently working on Business Organization Evolution and Transformation research and development. Dr. Wei has a broad interest in the areas of distributed systems, programming languages, security and directory, development tooling, modeling and transformation, and computer architectures. He has published over 20 referred conference papers and journal papers, including two in IEEE Transactions on Computers. Contact Dr. Wei at ywei@us.ibm.com.

Rate this article

Comments

Back to top

Table of contents

• Introduction
• Security and Event Patterns
• Relationship to Enterprise Patterns and previous scenarios
• Applying the Method Level Authorization pattern
• Applying the Run As Identity pattern
• Applying the Event Pattern
• Run UML to EJB transform
• Summary
• Download
• Resources
• About the authors
• Comments

Next steps from IBM

• Try: Rational Software Architect
• Buy: Rational Software Architect