5 Replies Latest reply on Sep 23, 2011 8:53 AM by jaikiran

    JBoss AS7 EJB Security Problems

    ccob
    ccob Aug 12, 2011 5:52 AM

      Hi,

       

      We have recently upgraded our JBoss infastructure within development to JBoss AS7 from v6.  We are in the middle of writing a Statless EJB based web service.  The web service uses the CXF stack paired with WS-Security using a custom authenticating interceptor based off the SubjectCreatingInterceptor to tie in PicketBox authentication with WS-Securtiy.

       

      The custom WS-Security interceptor works fine and authenticates correctly using the configured security domain inside standalone.xml (which we are currently using the Database module)

       

      Now here is where the problems start.  In JBoss 6 it worked fine using the @SecurityDomain annotation on our EJB from org.jboss.ejb3.annotation which since has been removed from JBoss AS7.  Now the only other @SecurityDomain annotation I can find is the one from PicketBox org.jboss.security.annotations.

       

      When we use this annotation, EJB based security is non existent on the EJB, so the @RolesAllowed annotation is also ignore and the EJB methods can be called by anyone regardless of the WS-Security interceptor.

       

      Is there anything special that needs to be done for the org.jboss.security.annotations.SecurtiyDomain to work when used with an EJB.

       

      Thanks.

      • 4434 Views
      • Tags:
        • 1. Re: JBoss AS7 EJB Security Problems
          jaikiran
          jaikiran Aug 12, 2011 5:57 AM (in response to ccob)

          ccob wrote:

           

          Now here is where the problems start.  In JBoss 6 it worked fine using the @SecurityDomain annotation on our EJB from org.jboss.ejb3.annotation which since has been removed from JBoss AS7. 

          That's not right. @org.jboss.ejb3.annotation.SecurityDomain is still available in AS7 and infact that's what should be used. Why do you think it's removed?

            • Actions
          • 2. Re: JBoss AS7 EJB Security Problems
            ccob
            ccob Aug 26, 2011 8:26 AM (in response to jaikiran)

            Sorry for the later reply, been away on annual leave.  Using Eclipse with JBoss tools and the JBoss 7 Runtime the class cannot be resolved, what jar can I expect to see it in?

             

            Thanks.

              • Actions
            • 3. Re: JBoss AS7 EJB Security Problems
              wolfc
              wolfc Aug 26, 2011 8:54 AM (in response to ccob)

              It's in jboss-ejb3-ext-api-2.0.0-beta-1.jar.

               

              The Maven GAV is org.jboss.ejb3:jboss-ejb3-ext-api:2.0.0-beta-1.

                • Actions
              • 4. Re: JBoss AS7 EJB Security Problems
                ccob
                ccob Sep 23, 2011 6:43 AM (in response to wolfc)

                It seems that the JBoss 7.x Runtime that gets added to Eclipse when using JBoss Tools with a Dynamic Web Project doesn't include this jar as part of the runtime.  So the import doesn't work during compilation.  I made a custom User Library which did include the jar mentioned above and the project then compiles correctly and deploys into JBoss 7. 

                 

                Seems the JBoss 6.x Runtime class library in eclipse already included it so I didn't have these compilation issues.

                 

                Thanks for your help.

                  • Actions
                • 5. Re: JBoss AS7 EJB Security Problems
                  jaikiran
                  jaikiran Sep 23, 2011 8:53 AM (in response to ccob)

                  ccob wrote:

                   

                  It seems that the JBoss 7.x Runtime that gets added to Eclipse when using JBoss Tools with a Dynamic Web Project doesn't include this jar as part of the runtime. 

                  http://community.jboss.org/thread/168872?tstart=60

                    • Actions