-
1. Re: getClientHost() works in EJB
adrian.brock Mar 12, 2002 5:51 AM (in response to guy_rouillier)This might not be supported in future?
Currently in JBoss the same thread that accepts the
rmi request, calls the bean. This might be changed
in a future version.
Regards,
Adrian -
2. Re: getClientHost() works in EJB
guy_rouillier Mar 12, 2002 1:54 PM (in response to guy_rouillier)Is there then a way to accomplish the same thing in a way that won't break? i.e., is there a "right" way to do this?
-
3. Re: getClientHost() works in EJB
adrian.brock Mar 12, 2002 2:23 PM (in response to guy_rouillier)What are you trying to do with ip address?
Regards,
Adrian -
4. Re: getClientHost() works in EJB
guy_rouillier Mar 13, 2002 12:01 AM (in response to guy_rouillier)We have a sensitive application. One of the security checks that we do is to make sure that our methods are being invoked from a "known host".
-
5. Re: getClientHost() works in EJB
adrian.brock Mar 13, 2002 6:23 AM (in response to guy_rouillier)You shouldn't really code security into the bean.
Especially, since it won't catch all methods.
Some of the methods are implemented by the
container (your code in the bean won't stop these).
If you want to deny access from an ip address have a
look at
http://www.jboss.org/online-manual/HTML/ch13s131.html
add a customized socket that only accepts certain
ip addresses.
This puts your check in the RMI layer which will
always allow your code. It will also trap all access.
Regards,
Adrian -
6. Re: getClientHost() works in EJB
guy_rouillier Mar 20, 2002 12:27 PM (in response to guy_rouillier)Adrian, thanks - haven't checked back in awhile. This entire EJB is an authentication/authorization module. We'll have methods like authenticate(userid, password) and isApplicationEnabled(userid, appplid). I'm aware of (but not conversant in) the security mechanism in the EJB framework, but we want something that will work for all our applications, and is more fine-grained than just roles. So we are rolling our own. Rather than filter out unknown hosts at the RMI level, I'd rather let them through then reject them through our standard hierarchy of exceptions.