10 Replies Latest reply on Nov 19, 2004 5:44 PM by jason.greene

    EJB endpoint authentication and authorization REVISITED

    cglommen

      I have read the Wiki (http://www.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint) on securing a service endpoint, and I am quite disturbed. Does this mean only JBoss clients can access secured web services session beans?

      I really would like to know how to achieve a secure webservice session bean using basic HTTP authentication over ssl. Any ideas how to achieve this using JBoss?

        • 1. Re: EJB endpoint authentication and authorization REVISITED
          jason.greene

          To enable basic auth you just add auth-method to your jboss.xml file. To require ssl you set transport-guarantee to CONFIDENTIAL. Take a look at the jboss 4 dtd for more info.

          For example:

          <port-component>
           <port-component-name>MySecureEJBServiceEndpoint</port-component-name>
           <port-uri>/MySecureEJBServiceEnpoint</port-uri>
           <auth-method>BASIC</auth-method>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </port-component>
          


          • 2. Re: EJB endpoint authentication and authorization REVISITED
            cglommen

            Thanks for the quick reply. I do have another question. How do I take into account parameter based security?

            Consider the following hypothetical scenerio....

            I have a service that provides a access to a set of bools, a library service if you will. Anyone can gain access to the webservice, but only authors can modify books, but only their books. I understand how to prevent/allow access to the write-functions. But, how do I handle the webservice security for the which books actually are accessible to the author? The call to Book[] getAllBooksForEdit() would need to "hook" into the security module and make this business-specific access call.

            How is this best achieved?

            • 3. Re: EJB endpoint authentication and authorization REVISITED
              jason.greene

              I added this information to the wiki. Thanks for noticing.

              • 4. Re: EJB endpoint authentication and authorization REVISITED
                jason.greene

                When you are using EJB endpoints the authentication is just being passed to the standard J2EE principal/role based security system. So if you wanted to programatically make decessions the J2EE role/princiapal system exposes two methods, both on the EJBContext object: isCallerInRole(), and getPrincipal(). isCallerInRole() requires special security-role-ref tags to be made for every role you wish to test. getPrincipal() will return the username that was passed in the HTTP basic authentication.

                -Jason

                • 5. Re: EJB endpoint authentication and authorization REVISITED
                  cglommen

                  So can I use BASIC authentication with a custom security interceptor? If so, how is this done?

                  And finally, where do I find documentation on SecurityProxy?

                  • 6. Re: EJB endpoint authentication and authorization REVISITED
                    cglommen

                     

                    • 7. Re: EJB endpoint authentication and authorization REVISITED
                      cglommen

                      The advice given above by jasong doesn't work. There is something missing....please update.

                      java.lang.NullPointerException
                      at org.jboss.webservice.ServiceDeployerEJB.createWebXML(ServiceDeployerEJB.java:264)
                      at org.jboss.webservice.ServiceDeployerEJB.deployWebservices(ServiceDeployerEJB.java:102)
                      at org.jboss.webservice.ServiceDeployer.startWebservice(ServiceDeployer.java:203)
                      at org.jboss.webservice.ServiceDeployer.handleNotification(ServiceDeployer.java:113)
                      at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                      at java.lang.reflect.Method.invoke(Method.java:324)
                      at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:138)
                      at $Proxy24.handleNotification(Unknown Source)
                      at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:112)
                      at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:95)
                      at org.jboss.deployment.SubDeployerSupport.start(SubDeployerSupport.java:178)
                      at org.jboss.ejb.EJBDeployer.start(EJBDeployer.java:620)
                      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:944)

                      • 8. Re: EJB endpoint authentication and authorization REVISITED
                        jason.greene

                        It looks like there is a bug in 4.0.0 that is triggered when auth-type is specified, and port-uri is not. Set port-uri in your port-component section to /* or any other url value. Keep in mind that port-uri is changing to port-component-uri in 4.0.1.

                        -Jason

                        • 9. Re: EJB endpoint authentication and authorization REVISITED
                          cglommen

                          Thanks for the quick reply....One more question:

                          Will the basic username/password fields of basic authentication be what is passed to an implementation of UsernamePasswordLoginModule?

                          Forgive me if this question has an obvious answer, I'm just a bit overwhelmed with information overload trying to absorb the documentation on this (which I am trying to utilize before posting).

                          • 10. Re: EJB endpoint authentication and authorization REVISITED
                            jason.greene

                            For EJB endpoints, JBossWS will use the same security domain as the EJBs they connect. So if you have configured an application policy for your EJBs that uses the UsernamePasswordLoginModule, then it will use that.

                            -Jason