4 Replies Latest reply on Sep 5, 2007 5:05 AM by bjolletz

    How to let "the system" access secure beans?

    bjolletz
    bjolletz Sep 3, 2007 1:23 PM

      Hello everybody!

      I'm quite new to JBoss, so please excuse me if I'm missing something obvious, but I have the following problem:

      I am trying to secure some beans using the @RolesAllowed annotation. When doing this, I realized that some methods should only be able to be called by "the system", and not really by logged in users. "The system" in this case refers to some scheduled tasks which run once in a while. "The system" does not contain any user principals or roles, so the question is, how do I specify in my @RolesAllowed annotations that only "the system" is allowed to call certain methods?

      I think that this must be a common problem, so I feel like I'm missing something here... Is there any standard ways to handle this situation?


      If someone has any thoughts on this, it would be very appreciated!

      /Daniel

      • 3094 Views
      • Tags:
        • 1. Re: How to let
          changemylife
          changemylife Sep 3, 2007 9:46 PM (in response to bjolletz)

          I think that @SecurityDomain annotation can resolve this problem. You can declare it in your code or XML configuration file. Then, you edit login-config.xml inside xxx/server/conf.

            • Actions
          • 2. Re: How to let
            bjolletz
            bjolletz Sep 4, 2007 5:51 AM (in response to bjolletz)

            Thanks for your reply!

            I am already using a security domain. I'll try to describe my problem better:

            For example, I have a bean like this:

            @StateLess
@SecurityDomain("MySecurityDomain")
public class MyEntityManagerSLB {

 @RolesAllowed({"admin", "developer"})
 public void foo() {
 // Method that a user with admin or developer roles may use
 ...
 }

 @RolesAllowed("system")
 public void bar() {
 // Method that only "the system" may use. "The system" referring to scheduled tasks run by a timer.
 ...
 }
}


            The problem is to make "the system" able to run the bar method. I can't figure out how to make "the system" authenticated in the "MySecurityDomain".

            My first idea was to use @RunAs("system") in the scheduled timer methods , but to be able to use @RunAs in a class, that class must also have a security domain. If I put @SecurityDomain("MySecurityDomain") on the timer class I will get an Authentication Exception. This is understandable, since the code in this class is really not being run by someone logged in to the sucurity domain, but rather from "the system", which is not authenticated in the security domain.

            I don't know if I've made this any more understandable, but maybe you understand what I'm trying to do.

            /Daniel

              • Actions
            • 3. Re: How to let
              changemylife
              changemylife Sep 4, 2007 10:02 PM (in response to bjolletz)

              I don't sure that I understand your problem. "system" is a role that you declared in code. If SecurityDoamin is valid, all things are Ok.

                • Actions
              • 4. Re: How to let
                bjolletz
                bjolletz Sep 5, 2007 5:05 AM (in response to bjolletz)

                I guess the problem is how to let "the system" be authenticated in MySecurityDomain. I've figured out that "the system" somehow needs to log in programmatically to gain access to my security domain.

                It seems like I've found a solution, although I'm not sure it's how you're supposed to handle this problem...

                I simply let "the system" log in programmatically with the following code:

                SecurityAssociation.setPrincipal(new SimplePrincipal("system"));
SecurityAssociation.setCreddentials("systemPassword");



                  • Actions