4 Replies Latest reply on Nov 15, 2005 9:47 AM by oglueck

newbie: JAAS howto using EJB3

patrick_ibg Nov 14, 2005 7:17 PM

Can anyone point to any examples on how to use the JAAS framework with EJB3? Preferably using RDBMS backed authentication...

1. Re: newbie: JAAS howto using EJB3

oglueck Nov 15, 2005 4:19 AM (in response to patrick_ibg)

Your session bean:
@SecurityDomain("mydomain")
@Stateless
@Remote({ITestBean.class})
public class TestBean implements ITestBean {
@RolesAllowed("myrole")
public String accessPermitted() {
return sc.getCallerPrincipal().getName();
}
}

Define the security domain in conf/login-config.xml:
<application-policy name = "mydomain">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/myDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM ROLES WHERE USERID=?</module-option>
</login-module>

</application-policy>

From a client (outside JBoss):
ClassLoader cl = Thread.currentThread().getContextClassLoader();
URL authconf = cl.getResource("jaas.conf");
// work around a JDK bug that fails to unescape the URL
String p = URLDecoder.decode(authconf.toExternalForm(), "UTF-8");
System.setProperty("java.security.auth.login.config", p);

CallbackHandler handler = ....; // your JAAS callback handler
LoginContext auth = new LoginContext("other", handler);
auth.login();

// make calls to session beans
Context jndi = new InitialContext();
ITestBean bean = (ITestBean) jndi.lookup(ITestBean.class.getName());
log.debug(bean.accessPermitted());
auth.logout();

jaas.conf is something like this:
other {
org.jboss.security.ClientLoginModule required;
};
Actions
2. Re: newbie: JAAS howto using EJB3

patrick_ibg Nov 15, 2005 9:24 AM (in response to patrick_ibg)

The annotations seem to get rid of alot of XML that I see with EJB2.1 based security configuration examples. I have a few additional questions...

1. Would the client code be much different if it was a web app (war file running in JBoss)?

2. As for the "conf/login-config.xml", it looks like I can only have one per JBoss instance, but can define multiple domains within this file?

3. What is jaas.conf for, and where does it go?

Thanks in advance.
Actions
3. Re: newbie: JAAS howto using EJB3

patrick_ibg Nov 15, 2005 9:31 AM (in response to patrick_ibg)

One more newbie question :)

4. Does JAAS (or some other JBoss security mechanism) allow for "owner" permissions, like if I am a "Customer", I can only modify my "Address", etc.
Actions
4. Re: newbie: JAAS howto using EJB3

oglueck Nov 15, 2005 9:47 AM (in response to patrick_ibg)

1. Webapps are web clients, not application clients. Webapps should therefore use the security mechanisms provided by the J2EE specs. i.e. you define the realm and roles to use in the web.xml and jboss-web.xml
JAAS and the servlet container do the rest. The security context is automatically propagated with your EJB calls. That means in web clients there is no code necessary. It is pure configuration.

2. Yes. You can also define a dynamic login config, so you are able to deploy the config with your application. see http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

3. This is the configuration for JAAS. RTFM at http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html

4. Of course. We call this a "role". Access control is enforced on session beans. Not sure if you can enforce it on entity beans, too. Check the specs.
Actions

Go to original post