Securing Java protocols - EJB

When the Sterling™ Order Management System Software APIs are deployed through EJB, they use a Java™ Naming and Directory Interface (JNDI) lookup for a context to call the EJB Objects.

JNDI looks up a context that is a handle to the EJB Object or API. The APIs do not have authentication or authorization. However, security principal and credentials can be supplied by specifying them in the yifclient.properties configuration file. The server can be set up to validate the passed security credentials.

The Sterling Order Management System Software HTTP/HTTPS Interface uses JavaServer Pages (JSPs) installed on the application server and does not need access to JNDI. There are two ways to protect the Sterling Order Management System Software APIs over EJB:

• WebLogic allows JNDI and remote method invocation (RMI) to be tunneled over HTTP. In your architecture there should be a proxy to inspect all the requests for Sterling Order Management System Software. This ensures that all the requests are for HTML, and not tunneled RMI or JNDI over HTTP.
• If Sterling Order Management System Software is deployed on WebLogic, a security realm should be set up to protect JNDI resources. This does not affect any screens that are packaged with Sterling Order Management System Software or any screens that extend Sterling Order Management System Software.

If the application is deployed on WebSphere® , you must set up permissions for EJB method. This does not affect any standard screens that are packaged with Sterling Order Management System Software or the custom screens you create.

If a custom user interface is being built using the Sterling Order Management System Software APIs through EJB and not by extending the Sterling Order Management System Software Presentation Framework, you cannot use the client wrapper supplied with Sterling Order Management System Software because it currently is incapable of passing credentials. This also applies to any use of the YIFAPIFactory class.