Securing EJB interoperability

Enterprise JavaBeans (EJB) is a core J2EE technology. It is also another of the integration technologies that allow client programs to interact with Sterling™ Order Management System Software applications.

In this topic, we will discuss how you can secure access to EJB through authentication, authorization, and confidentiality.

At a high level, to invoke EJB, you first have to perform a Java™ Naming and Directory Interface (JNDI) lookup to find the appropriate home stub. Given the home stub, you then make a Remote Method Invocation (RMI) call to the stub. The RMI stub on the application server, in turn, calls the appropriate XAPI. By default, the IBM® application XAPIs are exposed as EJBs when the EAR is built.

EJB implementation

Currently, the IBM applications expose two different types of EJBs. First, there is a variant of EJB where parameters (such as the YFSEnvironment) are passed in as w3c Documents and results are also returned as w3c Documents. Technically speaking, this variant of the EJB is not compliant with the EJB specification, since the w3c Document is not serializable, as required by the EJB specification. The second variant of our EJB implementation accept string versions of the parameters and returns a string.

Note: With some appservers, warnings will be thrown if the Document-based EJBs are deployed. These warnings can be avoided by suppressing deployment of these EJBs.

Security and EJB

As discussed earlier, an EJB invocation involves a JNDI lookup and an RMI invocation. From a security perspective, you should first secure access to the JNDI so that only authorized users can lookup EJB. Secondly, you should ensure the JNDI transactions are performed under SSL to prevent attacks such as network sniffing. Once you have found the EJB stub, you then need to secure access to the RMI invocations. The RMI component of EJB can be secured through SSL.

Note: Some application servers might provide proprietary support for user authentication and authorization to the EJBs themselves. Those features are application server-specific and beyond the scope of this document.

Invoking EJBs

IBM provides a toolset called the YIFClient to invoke XAPIs from a Java client program.

Reduction of attack surface

We recommend you do not configure EJBs into your deployment if you do not intend to use it. Doing so will reduce the attack surface of the application. In order to suppress EJB generation, pass the -Dnoejb flag sed during the EAR build.