How to secure an EJB application

daniell May 5, 2010 11:41 AM

Hello!

I'm trying to find a solution on how to secure an EJB application. The EAR containing the application is deployed on a JBoss AS 4.2.2.GA.
For the webapplication we're using Seam 2.1.2.

The Seam security framework seems to work fine for the webapplication. Even instance-based security should be possible without huge effort. But when restricting access to EJBs using the Seam approach, clients accessing the EJBs via the remote interface do not have to authenticate themselves and have full access regardless of Seam restrictions.
Using JBossSX as security framework, access from external clients can be limited. But then, we cannot benefit from the features of the Seam Framework, like the easy handling inside the webapplication.

Are there any recommendations on how to secure this kind of applications? Does anyone of you use other frameworks like Apache Shiro?

Many Thanks!

Daniel

1. Re: How to secure an EJB application

daniell May 12, 2010 11:07 AM (in response to daniell)

Hello again!

After many readings and prototypes, I'm currently using the approach described in the last post of http://seamframework.org/Community/SeamAndSecurityContext.
But I'm wondering if this is the solution everyone uses. So my initial question is still open: how to secure an application running in an EJB3 container and using Seam mainly for the webapplication? Does anyone have a recommendation? I can't believe that everyone reimplements the security features and uses a self-developed framework.

Thank you

Daniel
Actions