EJB security

Я вот нашёл, что можно юзать аутентификацию
через логин/пароль для получения контекста.
И пароль можно шифровать SSL-ем.

Oracle8i Enterprise JavaBeans and CORBA Developer's Guide

Connecting Using JNDI
Before you can use JNDI to connect your client program to an Oracle8i server, you must set up an environment for the JNDI context. You can use a hash table or a properties list for the environment. The examples in this guide always use a Java Hashtable, as follows:

Hashtable environment = new Hashtable();

Next, you set up properties in the hash table. You must always set the Context URL_PKG_PREFIXES property. The remaining properties that you can set are for authentication. They are:

javax.naming.Context.SECURITY_PRINCIPAL

javax.naming.Context.SECURITY_CREDENTIALS

javax.naming.Context.SECURITY_ROLE

javax.naming.Context.SECURITY_AUTHENTICATION

These properties are described in the following sections.

URL_PKG_PREFIXES
Context.URL_PKG_PREFIXES holds the name of the environment property for specifying the list of package prefixes to use when loading in URL context factories. The value of the property should be a colon-separated list of package prefixes for the class name of the factory class that will create a URL context factory.

In the current implementation, this property must always be supplied in the Context environment, and it must be set to the String "oracle.aurora.jndi".

SECURITY_PRINCIPAL
Context.SECURITY_PRINCIPAL holds the database username.

SECURITY_CREDENTIALS
Context.SECURITY_CREDENTIAL holds the clear-text password. This is the Oracle database password for the SECURITY_PRINCIPAL (the database user). In all of the three authentication methods mentioned in SECURITY_AUTHENTICATION below, the password is encrypted when it is transmitted to the server.

SECURITY_ROLE
Context.SECURITY_ROLE holds the Oracle8i database role with which the user is connecting. For example, "CLERK" or "MANAGER".

SECURITY_AUTHENTICATION
Context.SECURITY_AUTHENTICATION holds the name of the environment property that specifies the type of authentication to use. Values for this property provide for the authentication types supported by Oracle8i. There are three possible values. These values are defined in the ServiceCtx class, and are:

ServiceCtx.NON_SSL_LOGIN: Authenticate using the Login protocol over a standard TCP/IP connection (not a secure socket layer connection). The Login protocol provides for encryption of the password as it is transmitted from the client to the server. See "The Login Protocol" for more information about this protocol.

ServiceCtx.SSL_CREDENTIAL: Authenticate using the credential protocol over a secure socket layer (SSL) connection. Encryption of the password is provided by the secure socket layer.

SSL_LOGIN: Authenticate using the Login protocol over an SSL connection. The extra encryption provided by the Login protocol is redundant in this case, and use of SSL_CREDENTIAL might be slightly more time efficient.

Note: To use an SSL connection, you must be able to access a listener that has an SSL port configured, and the listener must be able to redirect requests to an SSL-enabled dispatcher IIOP port. You must also include the library vbj30ssl.jar when you compile and build your application. See the Net8 Administrator's Guide for more information about configuration, and see EJB README file for information about the location of the vbj30ssl.jar file.

Context Methods
The Context interface contains a number of methods that the CORBA and EJB application developer will use. The methods required have been implemented in the ServiceCtx and SessionCtx classes that implement methods in the Context interface.

The JNDI InitialContext Class
InitialContext is a class in the javax.naming package that implements the Context interface. All naming operations are relative to a context. The initial context implements the Context interface and provides the starting point for resolution of names.

Constructor
You construct a new initial context using the constructor:

public InitialContext(Hashtable environment)


passing it a hashtable that has the environment information described in "Connecting Using JNDI" above. The following code fragment sets up an environment for a typical client, and creates a new initial context:

Hashtable env = new Hashtable();
env.put(Context.URL_PKG_PREFIXES, "oracle.aurora.jndi");
env.put(Context.SECURITY_PRINCIPAL, "scott");
env.put(Context.SECURITY_CREDENTIALS, "tiger");
env.put(Context.SECURITY_AUTHENTICATION, ServiceCtx.NON_SSL_LOGIN);
Context ic = new InitialContext(env);

Method
The most common initial context class method that the CORBA or EJB application developer will use is

public Object lookup(String URL)


You use lookup() to create a new service context, specifying in the URL the service identifier. The return result must be cast to ServiceCtx when a new service context is being created. For example, if initContext is a JNDI initial context, the following statement creates a new service context:

ServiceCtx service =
(ServiceCtx) initContext.lookup("sess_iiop://localhost:2481:ORCL");

Мне нужно шифровать весь EJB-трафик, а не только
момент аутентификации.
Поэтому я планирую применить такое решение,
как ssh-port forwarding c логином и паролем,
который будет периодически меняться.

Простите, что прерываю Ваш монолог, но обратите внимание на такие штуки, как:
ldap/java.naming.security.protocol
&&
ldap/java.naming.security.authentication (про который Вы писали во 2ой части Вашего монолога)

И вдогонку:
Если уж совсем заморачиваться на безопасности, то можно в ejb-jar.xml для каждого метода бина прописать свою юзерскую роль.