-
1. Re: EJB SecurityDomain across servers
soshah Jul 6, 2006 10:54 AM (in response to adogg)Andrew-
Instead of hardcoding the username/password in your MDB client code that calls the EJB3 on another server
you may have to propagate the "Subject" established in the MDB, over to the remote EJB3 using the client-side login mechanism detailed here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule -
2. Re: EJB SecurityDomain across servers
adogg Jul 6, 2006 11:42 AM (in response to adogg)Thanks. I was under the impression that ClientLoginModule just passed already established credentials: "...It merely copies the login information provided to it into the JBoss server EJB invocation layer..."
I don't want my MDB to hold or authenticate any credentials, simply assume a given security role like the EJB3 @RunAs annotation.
Am I misunderstanding? -
3. Re: EJB SecurityDomain across servers
soshah Jul 6, 2006 12:16 PM (in response to adogg)
I don't want my MDB to hold or authenticate any credentials, simply assume a given security role like the EJB3 @RunAs annotation.
Your MDB does not authenticate/hold any credentials. You should be able to invoke it just with EJB3 @RunAs annotation.
Its when the MDB tries to call an EJB3 bean that is located in another app server. Thats when you need to use the client-login module mechanism to propagate the "Subject" from your MDB server to your EJB3 server.
But I believe your EJB3 on the remote server can still be configured with regular security annotations -
4. Re: EJB SecurityDomain across servers
adogg Jul 24, 2006 11:50 AM (in response to adogg)Yeah, I tried stripping everything down and I couldn't find a way to secure the remote interface only. Perhaps I'm doing something wrong, but the method in this class, for example:
@Remote
@SecurityDomain("mydomain")
public interface RemoteTestEJB3InterfaceSecured extends TestEJB3InterfaceSecured {
@RolesAllowed("admin")
void doSecure();
}
can be called by remote callers without having to authenticate, unless security is also placed on the implementation bean.
I couldn't find a section of the spec that mentions this, either.
Kind of disappointing that I can't place security restrictions on remote callers exclusively. -
5. Re: EJB SecurityDomain across servers
adogg Jul 24, 2006 11:52 AM (in response to adogg)Whoops. Posted that to the wrong thread. Meant to post to http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3960447