13 Replies Latest reply on Jul 19, 2006 8:30 AM by markus.wahl

    Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar.xml

    markus.wahl

      Hi, great forum.

      I am reading the "Security on JBoss" chapter of "The JBoss 4 Application Server Guide" (http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html)
      but I get confused when it starts talking about a file called ejb-jar.xml (section "8.1. J2EE Declarative Security Overview"). I have successfully built an EJB 3 application (by following the EJB Trailblazer http://trailblazer.demo.jboss.com/EJB3Trail/)
      and I don't use no ejb-jar.xml file.

      Is there a more appropriate documentation for me about how I can secure my application on JBoss 4.0.4 other than http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html?

      Or do I have to start using that file because I want to access control my application?

      /Markus

        • 1. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
          j2ee_junkie

          See the EJB3 wiki for documentation on how to use annotations to provide the same configurations as the ejb-jar.xml.

          http://wiki.jboss.org/wiki/Wiki.jsp?page=EJB3

          cgriffith

          • 2. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
            markus.wahl

            Hi cgriffith, that was quick. Thank you. A follow-up question perhaps:

            "j2ee_junkie" wrote:
            See the EJB3 wiki for documentation on how to use annotations to provide the same configurations as the ejb-jar.xml.

            http://wiki.jboss.org/wiki/Wiki.jsp?page=EJB3


            Is this what you meant: http://docs.jboss.org/ejb3/app-server/tutorial/security/security.html ?
            It mentions javax.annotation.security.RolesAllowed, javax.annotation.security.PermitAll as well as the JBoss specific org.jboss.ejb3.security.SecurityDomain. I read in an older post (approx 18 months old: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=59428)
            that the future may present a way to avoid using that specific JBoss-specific annotation by using some deployment descriptor instead. Is the mentioned ejb-jar.xml that descriptor, or is that yet to come?

            If ejb-jar.xml is the foreseen descriptor, can I combine the use of the nice annotations PermitAll and RolesAllowed with ejb-jar.xml, or do I have to scrap the annotation trail alltogether and declare everything in the ejb-jar.xml, do you think?

            thank you,
            markus



            • 3. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
              markus.wahl

              The Security chapter also mentions jboss.xml and jboss-web.xml ("8.3.1. Enabling Declarative Security in JBoss Revisited"). But the excellent EJB3 trailblazer didn't mention them. It did mention application.xml and jboss-app.xml. My application uses those files as well as a web.xml for the data layer.

              Do I need to start using jboss.xml and jboss-web.xml too, or is there a way around that so I only need to use application.xml, jboss-app.xml and web.xml?

              mvh,
              markus

              • 4. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                j2ee_junkie

                Hi Markus,

                Yes to all. I think it is important to note that ejb-jar.xml is the descriptor file for bean configuration (it has always been). The addition of annotations in EJB3 just makes that descriptor unecessary. Unless you want to use. If you use both, the descriptor should override annotations.

                enjoy, cgriffith

                • 5. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                  markus.wahl

                  thanks cgriffith. but pls pardon my stubborn interrogation:

                  "j2ee_junkie" wrote:
                  Yes to all.

                  A good answer. But still I wonder about the bit about combining the good ejb annotations with the ejb-jar.xml. Was I correct in assuming that I can use just a piece of ejb-jar.xml to make up for my refusal to put the JBoss specific SecurityDomain annotation in my ejbean? Now, all I wonder is what piece is that? Could you perhaps tell us that?

                  "j2ee_junkie" wrote:
                  enjoy, cgriffith

                  why, yes

                  /marküs


                  • 6. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                    j2ee_junkie

                    Markus,

                    Since the SecurityDomain is a JBoss specific configuration, it does not go in the ejb-jar.xml. I figured you would have known how to configure JBoss. In this case, see the jboss.xml file and it's DTD for definitions.

                    cgriffith

                    • 7. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                      markus.wahl

                       

                      "j2ee_junkie" wrote:
                      Since the SecurityDomain is a JBoss specific configuration, it does not go in the ejb-jar.xml. I figured you would have known how to configure JBoss. In this case, see the jboss.xml file and it's DTD for definitions.


                      ok thanx, I'll do that. but couldn't I declare the securitydomain in jboss-app.xml instead of jboss.xml?

                      • 8. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                        markus.wahl

                         

                        "Markus.Wahl" wrote:
                        "j2ee_junkie" wrote:
                        Since the SecurityDomain is a JBoss specific configuration, it does not go in the ejb-jar.xml. I figured you would have known how to configure JBoss. In this case, see the jboss.xml file and it's DTD for definitions.


                        but couldn't I declare the securitydomain in jboss-app.xml instead of jboss.xml?


                        there is an issue about using jboss-app.xml instead of jboss.xml: http://jira.jboss.com/jira/browse/EJBTHREE-281
                        but the guy there got no answer to his question. using jboss-app.xml instead of each ejb-jar files jboss.xml to speficy a security domain would mean that all ejb beans use the same security domain (unless overriden), right?

                        • 9. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                          markus.wahl

                          so this is what I tried:

                          *renaming the "other" application policy of file login-config.xml (residing in the AS conf dir) to "mine" (in order to make sure that the default security domain "other" does not kick in)

                          *editing jboss-app.xml:

                          <jboss-app>
                           <security-domain>java:/jaas/other</security-domain>
                           <loader-repository>name:app=ejb3</loader-repository>
                          </jboss-app>
                          

                          *removing the @SecurityDomain annotation from my bean

                          when I try this, all the roles defined in web.xml are allowed acces to my jsp files (this was expected). but all users get acces to my ejb bean. I define two roles in web.xml, but only one of those roles are mentioned in my ejb bean using the @RolesAllowed annotation.

                          when I try with a user of the role not mentioned by @RolesAllowed while the "mine" security domain is not configured, all is fine: the user don't get to use the ejb bean.

                          so what am I missing? is the ejb layer security being set aside just because I use another name for my security domain? hardly; it must be that I have configured something amis. but what? do you know, cgriffith?

                          • 10. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                            markus.wahl

                             

                            "Markus.Wahl" wrote:
                            when I try this, all the roles defined in web.xml are allowed acces to my jsp files (this was expected). but all users get acces to my ejb bean. I define two roles in web.xml, but only one of those roles are mentioned in my ejb bean using the @RolesAllowed annotation.


                            I have discovered if I do use @SecurityDomain("mine") it suddenly works. So I have accomplished avoiding creating jboss-web.xml, but I still need to figure out how to avoid using the JBoss specific annotation or creating jboss.xml. do you think it is possible at all?


                            • 11. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                              markus.wahl

                               

                              "Markus.Wahl" wrote:
                              I have discovered if I do use @SecurityDomain("mine") it suddenly works. So I have accomplished avoiding creating jboss-web.xml, but I still need to figure out how to avoid using the JBoss specific annotation or creating jboss.xml. do you think it is possible at all?

                              I have verified now that specifying
                              <security-domain>java:/jaas/JSolutionsCRM</security-domain>
                              in jboss-app.xml and not using the @SecurityDomain annotation and instead specifying
                              <security-domain>JSolutionsCRM</security-domain>
                              in jboss.xml works.

                              Note that there must be no java:/jaas/ part in the jboss.xml version. is that the reason why it is not sufficient to have jboss-app.xml and no jboss.xml nor annotation? that the ejb layer have no way of figuring out by itself that java:/jaas/ has to be removed from the security domain name?

                              • 12. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                                j2ee_junkie

                                Markus,

                                I assume you got things working. Just a note, this forum is useful to keep track of now and in the future. Had you done some searching you may have found this http://www.jboss.com/index.html?module=bb&op=viewtopic&t=78329.

                                let us know if you still have problems, cgriffith

                                • 13. Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
                                  markus.wahl

                                   

                                  "j2ee_junkie" wrote:
                                  I assume you got things working.

                                  oh yes, I use the jboss-app.xml instead of jboss-web.xml, but I still need either jboss.xml or the SecurityDomain annotation. No chance of ridding them both so I only need the jboss-app.xml?