When can we hope to see a comprehensive security spec for EJB?

Richard Monson-Haefel

Currently the EJB security model supports authorization level security. Authorization security or access control allows control over which users can invoke what methods on a bean. Access control in EJB is declarative, which simplifies the programming model.

Its possible that authentication security, which validates the identities of users accessing the system, will be defined in EJB 2.0. Its likely that the Java Authentication and Authorization security service will be used, but this is not definite. If this authentication is added to EJB, it will provide a standard and portable model for authenticating (login) of users.

Secure communication, which is commonly implemented with technologies like SSL, may also be defined in EJB 2.0, but this is less likely since it's more of a value added vendor feature than a requirement for portability.

The release date for EJB 2.0 (as of this writing) has not been determined. It seems likely that EJB 2.0 will become final sometime in late 2001 or 2002.