-
2. Re: Restricting access to datasources
schuller007 May 18, 2006 2:55 PM (in response to schuller007)Great,
Following your suggestion I have configured a stacked login module, but this way all the Active Directoryt users will be given access to the datasource.
Is there a way to restrict it to a group, or I need to write a custom login module?
<application-policy name = "AlloraDbRealm">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://palm/</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=palm,dc=abc,dc=com</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="principalDNSuffix">@palm.abc.com</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
</login-module>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=AlloraDS</module-option>
</login-module>
</application-policy> -
3. Re: Restricting access to datasources
blasph May 18, 2006 4:37 PM (in response to schuller007)I have same problem:
Check if user (authenticated from AD) can lookup the datasource...
I tried make use of many modules but can't get informations like what user is accessing the application server.
Anyone can tell me the way? -
4. Re: Restricting access to datasources
schuller007 May 18, 2006 5:01 PM (in response to schuller007)Inside your EJB you can do something like:
@Resource SessionContext ctx; public void getPrincipal () { ... Principal p = ctx.getCallerPrincipal(); .. }
-
5. Re: Restricting access to datasources
wmprice May 18, 2006 11:53 PM (in response to schuller007)In your EJB, you can do a user-role mapping that only allows particular users from your AD to invoke those EJB(s). This is the caller identity that will be used when invoking your DS.
Take a look at the J2EE security section in the spec for more information. -
6. Re: Restricting access to datasources
schuller007 May 19, 2006 11:21 AM (in response to schuller007)I am using the user-role mapping for my EJBs, however I would like to secure the datasource only (i.e. regardless if it's used by EJB's, standalone classes, servlets, etc). In other words being able to say that this datasource is only to be used by this role.
-
7. Re: Restricting access to datasources
wmprice May 19, 2006 11:35 AM (in response to schuller007)That is, in essence, what you are doing. You reduce the visibility of the DataSource to only those roles that are allowed to invoke your EJB's. The datasource itself has no concept of secured invocation on it's own, being that it can only be invoked in the context of a managed operation (ie an operation from an EJB/Servlet). If a subject that is not not allowed to invoke an operation on an EJB attempts such an operation, it will not succeed.
Again, since you will not, by default, be able to use the DS outside of the container only EJB/Servlets will have access. -
8. Re: Restricting access to datasources
schuller007 May 19, 2006 11:47 AM (in response to schuller007)How about other applications deployed in the same context? i.e. an EJB from another application accessing the DS? I agree that the DS has no concept of secured invokation, but it can be associated with a security domain that will control access to that DS (as per the post bellow)
http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfigJCALoginModule
The question is, how do you restrict access to a specific role? I am playing around with cascading LoginModules:
LoginModule1. login to AD
LoginModule2. login to custom LoginModule that accesses a secured by role EJB. If the ejb invokation is successful,
LoginModule3.ConfiguredIdentityLoginModule for the DS credentials -
9. Re: Restricting access to datasources
schuller007 May 19, 2006 12:13 PM (in response to schuller007)The stacked approach does work, unfortunately after the connection pool is created, subsequent calls are getting the conection from the pool and the DS security policy is not invoked anymore. If the user creating the connection pool has the right credentials, subsequent getConnection() calls are ignored.