Securing Java protocols - EJB
When Sterling Selling and Fulfillment Foundation APIs are deployed through EJB, they use a Java™ Naming and Directory Interface (JNDI) lookup for a context to call the EJB Objects.
JNDI looks up a context that is a handle to the EJB Object or API. The APIs do not have authentication or authorization. However, security principal and credentials can be supplied by specifying them in the yifclient.properties configuration file. The server can be set up to validate the passed security credentials.
The Sterling Selling and Fulfillment Foundation HTTP/HTTPS Interface uses JavaServer Pages (JSPs) installed on the application server and does not need access to JNDI. There are two ways to protect the Sterling Selling and Fulfillment Foundation APIs over EJB:
- WebLogic allows JNDI and remote method invocation (RMI) to be tunneled over HTTP. In your architecture there should be a proxy to inspect all the requests for Sterling Selling and Fulfillment Foundation. This ensures that all the requests are for HTML, and not tunneled RMI or JNDI over HTTP.
- If Sterling Selling and Fulfillment Foundation is deployed on WebLogic, a security realm should be set up to protect JNDI resources. This does not affect any screens that are packaged with Sterling Selling and Fulfillment Foundation or any screens that extend Sterling Selling and Fulfillment Foundation.
If the application is deployed on WebSphere® or JBoss, you must set up permissions for EJB method. This does not affect any standard screens that are packaged with Sterling Selling and Fulfillment Foundation or the custom screens you create.
If a custom user interface is being built using the Sterling Selling and Fulfillment Foundation APIs through EJB and not by extending the Sterling Selling and Fulfillment Foundation Presentation Framework, you cannot use the client wrapper supplied with Sterling Selling and Fulfillment Foundation because it currently is incapable of passing credentials. This also applies to any use of the YIFAPIFactory class.