-
15. Re: Accessing EJB from web application packaged withing same EAR
ybxiang.china Aug 1, 2013 2:24 AM (in response to ejb3workshop)Ideally what I am after it to configure the EJB to require authentication and the web application to provide the authentication without specifying username and password withing the web application.
~~~~~~~~ I think this is the root cause of your problem. You even did NOT logged in your web appl with username and password, so of course your role is null, and of course your JSF MBean can NOT call EJB wich is secured.
I guess you invented your own login mechanism instead of useing JAAS. Since you abandon JAAS, you should use PermitAll and invent the full mechanism including EJB calling.
JAAS is very good, usefull, smart and simple, I think you just need a start-up guide. You can goolge JAAS. When my article is finished, I will post the link here.
-
16. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 2:29 AM (in response to ybxiang.china)One problem I am trying to overcome is that I require some initialisation code to be executed on startup. In this case I don't have an authenticated user to play with and hence no security context. For standard application which require the user to authenticate against a realm I fully agree that JAAS is fantastic. Hopefully I will find a way to get around the startup stuff as well without compromising on security.
-
17. Re: Accessing EJB from web application packaged withing same EAR
sfcoy Aug 1, 2013 2:51 AM (in response to ejb3workshop)The best place for startup/initialisation code is a @javax.ejb.Startup @javax.ejb.Singleton bean.
-
18. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 2:53 AM (in response to ejb3workshop)Even found a bug already raised for this : https://issues.jboss.org/browse/EJBTHREE-2272
-
19. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 2:55 AM (in response to sfcoy)I agree that javax.ejb.Startup and @javax.ejb.Singleton are great additions to the specification in 3.1, however I am not able to access a secured bean from my startup bean. It seems to be a issue with JBoss (https://issues.jboss.org/browse/EJBTHREE-2272). Do you have any other suggestion on how I could get around this. I could try to rework the application to not access an EJB, but just call non-EJB methods ? Seems like a really ugly solution though.
-
20. Re: Accessing EJB from web application packaged withing same EAR
ybxiang.china Aug 1, 2013 3:01 AM (in response to ejb3workshop)One problem I am trying to overcome is that I require some initialisation code to be executed on startup. In this case I don't have an authenticated user to play with and hence no security context.
~~~~~~~~~~~~~Sorry. I understand you now.
Here is an EJB from my app which works well:
************************************************************************************************************************
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Local;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import com.ybxiang.forum.common.KnownJaasRoles;
import com.ybxiang.forum.common.ServerConstants;
@Local(ICoreService.class)
@Singleton
@Startup
public class CoreService implements ICoreService{
Logger log = Logger.getLogger(CoreService.class.getName());
//*********************************[member fields]*********************************//
//Initialization of System Properties configured in standalone.xml.
private String domainName;
private String jaasSecurityDomain;
private String serverBindAddress;
private int topicRepliesCounterPeriodMinutes;
private String forumBackupScriptPath;
private int forumBackupPeriodMinutes;
private int cacheUpdatePeriodMinutes;
private int domainsMenusListingHtmlTableColumns;
private String contextPath;
private int homePageColumnTitleMaxLength;
private int messageSendingPeriodMillis;
@PersistenceContext
private EntityManager em;
@PostConstruct
public void start() throws Exception {
log.info(ServerConstants.SERVICE_STARTING_FLAG);
initSystemProperties();
log.info(ServerConstants.SERVICE_STARTED_FLAG);
}
@PreDestroy
public void destroy(){
log.info(ServerConstants.SERVICE_DESTROYING_FLAG);
log.info(ServerConstants.SERVICE_DESTROYED_FLAG);
}
//*********************************[interface methods]*********************************//
@Override
@PermitAll()
public String getDomainName(){
return domainName;
}
@Override
@RolesAllowed({KnownJaasRoles.ADMINISTRATOR})
public String getJaasSecurityDomain(){
return jaasSecurityDomain;
}
@Override
@PermitAll()
public String getServerBindAddress(){
return serverBindAddress;
}
//*********************************[helper methods]*********************************//
/**
* 初始化一些属性供其它服务使用
*/
private void initSystemProperties(){
try{
domainName = System.getProperty(ServerConstants.SYSTEM_PROPERTY_KEY_FORUM_domain_name,ServerConstants.DEFAULT_FORUM_domain_name);
//
jaasSecurityDomain = System.getProperty(ServerConstants.SYSTEM_PROPERTY_KEY_YBXIANG_FORUM_JAAS_SECURITY_DOMAIN,ServerConstants.DEFAULT_YBXIANG_FORUM_JAAS_SECURITY_DOMAIN);
log.info("jaasSecurityDomain="+jaasSecurityDomain);
//
serverBindAddress = System.getProperty(ServerConstants.SYSTEM_PROPERTY_KEY_JBOSS_BIND_ADDRESS,ServerConstants.DEFAULT_JBOSS_BIND_ADDRESS);
log.info("serverBindAddress="+serverBindAddress);
//
...
}catch(Exception e){
log.severe(e.getMessage());
}
}
@PermitAll()
public int getTopicRepliesCounterPeriodMinutes(){
return topicRepliesCounterPeriodMinutes;
}
@PermitAll()
public String getForumBackupScriptPath(){
return forumBackupScriptPath;
}
@PermitAll()
public int getForumBackupPeriodMinutes(){
return forumBackupPeriodMinutes;
}
@PermitAll()
public int getCacheUpdatePeriodMinutes(){
return cacheUpdatePeriodMinutes;
}
@PermitAll()
public int getDomainsMenusListingHtmlTableColumns(){
return domainsMenusListingHtmlTableColumns;
}
@PermitAll()
public String getContextPath(){
return contextPath;
}
@PermitAll()
public int getHomePageColumnTitleMaxLength(){
return homePageColumnTitleMaxLength;
}
@PermitAll()
public int getMessageSendingPeriodMillis(){
return messageSendingPeriodMillis;
}
}
-
21. Re: Accessing EJB from web application packaged withing same EAR
sfcoy Aug 1, 2013 3:02 AM (in response to ejb3workshop)Hmm. Those are both pretty old versions.
You should be able to specify a @javax.annotation.security.RunAs role in your startup bean. EJBs typically only care about authorisation (roles) rather than the authenticated identity.If for some reason your bean requires identity as well then you can also apply the @org.jboss.ejb3.annotation.RunAsPrincipal annotation to specify it.
-
22. Re: Accessing EJB from web application packaged withing same EAR
ybxiang.china Aug 1, 2013 3:04 AM (in response to ejb3workshop)I think "https://issues.jboss.org/browse/EJBTHREE-2272" has been fixed in JBoss AS 7.2.
Moreover, I am using JBoss AS 7.2. Everything is working well.
-
23. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 3:05 AM (in response to ybxiang.china)Maybe I missed it but I don't see you calling a secured method during your startup process.
-
24. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 3:06 AM (in response to sfcoy)That is what I tried and didn't work for me. I aded @RunAs to my @Startup/@Singleton bean, however calling a secured bean still resulted in an error.
-
25. Re: Accessing EJB from web application packaged withing same EAR
ybxiang.china Aug 1, 2013 3:24 AM (in response to ejb3workshop)package com.ybxiang.forum.ejb.session.test;
public interface IEJB1ForAlexanderHartner {
public String mehtod1();
public String mehtod2();
}
package com.ybxiang.forum.ejb.session.test;
public interface IEJB2ForAlexanderHartner {
public void callSomeMethod();
}
package com.ybxiang.forum.ejb.session.test;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.annotation.security.PermitAll;
import javax.ejb.Local;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import com.ybxiang.forum.common.ServerConstants;
@Local(IEJB1ForAlexanderHartner.class)
@Singleton
@Startup
public class EJB1ForAlexanderHartner implements IEJB1ForAlexanderHartner{
Logger log = Logger.getLogger(EJB1ForAlexanderHartner.class.getName());
@PostConstruct
public void start() throws Exception {
log.info(ServerConstants.SERVICE_STARTING_FLAG);
log.info(ServerConstants.SERVICE_STARTED_FLAG);
}
@PreDestroy
public void destroy(){
log.info(ServerConstants.SERVICE_DESTROYING_FLAG);
log.info(ServerConstants.SERVICE_DESTROYED_FLAG);
}
@Override
@PermitAll()
public String mehtod1(){
return "AlexanderHartner - s1";
}
@Override
@PermitAll()
public String mehtod2(){
return "AlexanderHartner - s2";
}
}
package com.ybxiang.forum.ejb.session.test;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.ejb.EJB;
import javax.ejb.Local;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import com.ybxiang.forum.common.ServerConstants;
@Local(IEJB2ForAlexanderHartner.class)
@Singleton
@Startup
public class EJB2ForAlexanderHartner implements IEJB2ForAlexanderHartner{
private static Logger log = Logger.getLogger(EJB2ForAlexanderHartner.class.getName());
@EJB
IEJB1ForAlexanderHartner ejb1;
@PostConstruct
public void start() throws Exception {
log.info(ServerConstants.SERVICE_STARTING_FLAG);
//***
log.warning(ejb1.mehtod1());
//***
log.info(ServerConstants.SERVICE_STARTED_FLAG);
}
@PreDestroy
public void destroy(){
log.info(ServerConstants.SERVICE_DESTROYING_FLAG);
log.info(ServerConstants.SERVICE_DESTROYED_FLAG);
}
@Override
public void callSomeMethod() {
}
}
******************************** log ********************************
15:21:35,425 WARNING [com.ybxiang.forum.ejb.session.test.EJB2ForAlexanderHartner] (ServerService Thread Pool -- 59) AlexanderHartner - s1
-
26. Re: Accessing EJB from web application packaged within same EAR
ejb3workshop Aug 1, 2013 3:21 AM (in response to ejb3workshop)Adding the following to the startup bean :
@Resource
private EJBContext ejbContext;
@PostConstruct
public void init()
{
System.out.println("ejbContext.isCallerInRole(\"Administration\") : "+ejbContext.isCallerInRole("Administration"));
}
resulted in:
JBAS014527: Cannot call isCallerInRole() when state is postConstruct
-
27. Re: Accessing EJB from web application packaged withing same EAR
ejb3workshop Aug 1, 2013 3:31 AM (in response to ybxiang.china)I created my own simplified example:
@Startup
@RunAs("Administration")
@Singleton
public class StartupBean
{
@Resource
private EJBContext ejbContext;
@PostConstruct
public void init()
{
permittedMethod();
securedMethod();
}
@PermitAll
public void permittedMethod()
{
System.out.println("This call is not secured");
securedMethod();
}
@RolesAllowed("Administration")
public void securedMethod()
{
System.out.println("This call is secured");
}
}
which worked as expected.
15:27:00,634 INFO [stdout] (ServerService Thread Pool -- 65) This call is not secur
15:27:00,639 INFO [stdout] (ServerService Thread Pool -- 65) This call is secured
15:27:00,642 INFO [stdout] (ServerService Thread Pool -- 65) This call is secured
I then removed the RunAs annotation an from this bean and restarted the application server and the output remained the same. I suspect that in this case the method call to the "secured" method is really just a local call and security does not come into play here.
5:30:35,993 INFO [stdout] (ServerService Thread Pool -- 71) This call is not secured
5:30:35,994 INFO [stdout] (ServerService Thread Pool -- 71) This call is secured
5:30:35,995 INFO [stdout] (ServerService Thread Pool -- 71) This call is secured
-
28. Re: Accessing EJB from web application packaged withing same EAR
sfcoy Aug 1, 2013 3:39 AM (in response to ejb3workshop)1 of 1 people found this helpfulThe access permissions of the EJB are only applied when a business method is invoked through a proxy (ie. from an injected reference).
-
29. Re: Accessing EJB from web application packaged within same EAR
ybxiang.china Aug 1, 2013 3:51 AM (in response to ejb3workshop)I don't master @RunAs and met problems when use it in jboss 7, so I always avoid it.
I really dislike such a fake role. Since it is fake, why NOT just use PermitAll? Is there difference?
I just use PermitAll in Local EJB and use AllowedRoles('real.roles') in Remote EJB.