5 Replies Latest reply on Jul 24, 2006 11:52 AM by adogg

    EJB SecurityDomain across servers

    adogg

      So, I've got a MDB on one server that wants to call an EJB3 on another server. The EJB3 is secured with a SecurityDomain on its server and I want the MDB to be able to call the EJB3 with a role as per the security-identity, run-as, etc. tags, but, of course, the EJB's SecurityDomain doesn't exist on the MDB's server

      Now, both servers do have access to the same database that stores login information. So, I tried to just set up another SecurityDomain on the MDB's server of the same name, hitting the same database, but that didn't work (AuthorizationFailures where principal=null and principalRoles=null)

      Is there a general approach for "sharing" JAAS security domains across servers in situations like these? I don't want to hardcode a u/p into my MDB for its EJB calls.

      All servers are JBoss 4.0.4.GA

        • 1. Re: EJB SecurityDomain across servers
          soshah

          Andrew-

          Instead of hardcoding the username/password in your MDB client code that calls the EJB3 on another server

          you may have to propagate the "Subject" established in the MDB, over to the remote EJB3 using the client-side login mechanism detailed here:

          http://wiki.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule

          • 2. Re: EJB SecurityDomain across servers
            adogg

            Thanks. I was under the impression that ClientLoginModule just passed already established credentials: "...It merely copies the login information provided to it into the JBoss server EJB invocation layer..."

            I don't want my MDB to hold or authenticate any credentials, simply assume a given security role like the EJB3 @RunAs annotation.

            Am I misunderstanding?

            • 3. Re: EJB SecurityDomain across servers
              soshah

               


              I don't want my MDB to hold or authenticate any credentials, simply assume a given security role like the EJB3 @RunAs annotation.


              Your MDB does not authenticate/hold any credentials. You should be able to invoke it just with EJB3 @RunAs annotation.


              Its when the MDB tries to call an EJB3 bean that is located in another app server. Thats when you need to use the client-login module mechanism to propagate the "Subject" from your MDB server to your EJB3 server.

              But I believe your EJB3 on the remote server can still be configured with regular security annotations

              • 4. Re: EJB SecurityDomain across servers
                adogg

                Yeah, I tried stripping everything down and I couldn't find a way to secure the remote interface only. Perhaps I'm doing something wrong, but the method in this class, for example:

                @Remote
                @SecurityDomain("mydomain")
                public interface RemoteTestEJB3InterfaceSecured extends TestEJB3InterfaceSecured {

                @RolesAllowed("admin")
                void doSecure();
                }


                can be called by remote callers without having to authenticate, unless security is also placed on the implementation bean.

                I couldn't find a section of the spec that mentions this, either.

                Kind of disappointing that I can't place security restrictions on remote callers exclusively.

                • 5. Re: EJB SecurityDomain across servers
                  adogg

                  Whoops. Posted that to the wrong thread. Meant to post to http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3960447