5 Replies Latest reply on May 16, 2004 1:43 PM by erik777

    Security context propagation from web client to ejb

    jcgagne

      Hi,

      I have Tomcat 4.1.29 and JBoss 3.2.2 running on 2 different VM. On the web application side, security constraints are defined in web.xml using J2EE standard.

      Now I need to secure our EJBs. I want the security context in the web side for the current request to be propagated with the EJB call, or at least the associated Principal.

      How can I do this ?

      JCG

        • 1. Re: Security context propagation from web client to ejb
          anbenham

          I have the same problem too, using JBoss 3.2.3 ands Tomcat.

          It would be very heplfull for our web-developper to develop only with tomcat, and just test with Tomcat/JBoss.

          Any tips about that?

          • 2. Re: Security context propagation from web client to ejb
            starksm64

            A standalone tomcat instance is no different than a java client. You have to establish the security context for calls into the ejb container. If you want to resue the security context presented to the web container, then you need non-standard integration such as a tomcat valve to gain access to this information. This is what the security layer does in the embedded version of tomcat/jboss.

            • 3. Re: Security context propagation from web client to ejb
              pilhuhn

              I am basically having the same problem, but within one vm. Servlet authentication is no problem, accessing secured ejbs from a client in a different vm is also no problem - only accessing secured ejbs from the servlet (in the same vm) fails.
              I am probably missing something very obvious.

              Excerpt from the log:


              2004-05-15 11:40:23,923 TRACE [org.jboss.security.plugins.JaasSecurityManager.adb] updateCache, subject=Betreff:
              Principal: elke
              Principal: Roles(members:ADBadmin)


              2004-05-15 11:40:23,933 TRACE [org.jboss.security.plugins.JaasSecurityManager.adb] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@150b45a

              2004-05-15 11:40:32,535 INFO [STDOUT] add (in servlet)

              2004-05-15 11:40:32,535 TRACE [org.jboss.security.plugins.JaasSecurityManager.adb] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@39452f

              2004-05-15 11:40:32,535 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] Authenticated principal=null

              2004-05-15 11:40:32,535 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] method=public abstract de.bsd.adb.ejb.Facade de.bsd.adb.ejb.FacadeHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException, interface=HOME, requiredRoles=[<ANYBODY>]

              2004-05-15 11:40:32,535 TRACE [org.jboss.security.plugins.JaasSecurityManager.adb] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@39452f

              2004-05-15 11:40:32,535 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] Authenticated principal=null

              2004-05-15 11:40:32,535 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] method=public abstract de.bsd.adb.beans.Adresse de.bsd.adb.ejb.Facade.add(de.bsd.adb.beans.Adresse) throws java.rmi.RemoteException, interface=REMOTE, requiredRoles=[ADBadmin]

              2004-05-15 11:40:32,535 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=null, method=add, interface=REMOTE, requiredRoles=[ADBadmin], principalRoles=[]


              In login-config.xml, I have an authentication, which is being referred in jboss.xml and jboss-web.xml.

              I am using the DB-Server Login-Module; result does not change if I also add a ClientLoginModule before or after the DB-Server Module.

              • 4. Re: Security context propagation from web client to ejb
                pilhuhn

                Forgot: this is on 3.2.3 with tomcat.

                • 5. Re: Security context propagation from web client to ejb
                  erik777

                  This is why I chose tokenized security instead of JAAS, which I view as a work in progress. You can pass a user session token as a simple parameter to any EJB method from any Java client. With one line of code, your EJB method can validate that the user has access to the business method. The line of code will throw an AccessDenied exception if the user does not have access, which your client framework can handle in a standardized way. No container context is required for tokenized security. Indeed, it is even J2EE vendor independent, so your WebSphere clients can call JBoss EJBs.