EJB and security

sradford Jul 27, 2003 10:36 AM

Hi,

If EJB A calls an MBean, which in turn calls EJB B should the security Principal be propagated correctly?

(As it doesn't appear to be with me... The old Principal=null problem)

And if not, how can it be done?

Regards,

Sean

1. Re: EJB -> MBean -> EJB and security

juhalindfors Jul 29, 2003 5:30 AM (in response to sradford)

No it doesn't. Currently you need to manage such security context propagation by yourself (passing the username/password as part of your MBean invocation).

-- Juha
Actions
2. Re: EJB -> MBean -> EJB and security

sradford Jul 29, 2003 9:32 AM (in response to sradford)

Does this also apply to JBoss 4 where the AOP stuff has the security Aspect - could this be applied to this problem in some way? (such as putting the security aspect on the MBean class)

Thanks,

Sean
Actions
3. Re: EJB -> MBean -> EJB and security

juhalindfors Jul 29, 2003 10:00 AM (in response to sradford)

You don't need AOP to achieve this, security context can be passed implicitly with a simple interception mechanism which already exists for MBeans in JBoss 3.2.

If you have access to the 3.2 version of the Admin & Dev book check the example of securing JNDIView MBean on page ~120. This shows how to implement and configure an interceptor for an MBean. Combine this information with the model how security is implemented with EJB interceptors and I think you can get pretty far with what you're trying to achieve.

Hope this helps,

-- Juha
Actions
4. Re: EJB -> MBean -> EJB and security

sradford Jul 29, 2003 4:16 PM (in response to sradford)

Sounds good. I'll just have to buy the doco

(I seem to remember, though from another post that MBean interceptors could only be configued for XMBeans, is that true?)

Thanks,

Sean
Actions
5. Re: EJB -> MBean -> EJB and security

juhalindfors Jul 29, 2003 4:19 PM (in response to sradford)

Yes, that is correct.

-- Juha
Actions

Go to original post