2 Replies Latest reply on Jun 21, 2006 12:29 PM by Paul Andrews

    Security proxy annotation?

    Paul Andrews Newbie


      I'm implementing a security proxy and I note that I have to associate the specific security proxy with an EJB in the jboss.xml file.

      So far I don't have a jboss.xml and so I was wondering if there should be an annotation that performs the same job as the declaration in the jboss.xml file?

      At first glance it seems that @AroundInvoke might provide similar functionality but the InvocationContext argument passed to the interceptor doesn't include any security context information, so how would you obtain that?

      - Paul

        • 1. Re: Security proxy annotation?
          William DeCoste Apprentice

          The security proxy mechanism is no longer supported by EJB3. In fact, it's really a deprecated mechanism for JBossAS. You have a few options.

          You can add a custom interceptor by writing your own security interceptor class and deploying the interceptor by adding it to ejb3-interceptors-aop.xml.

          Or, as you mention, you can use the @Interceptor, @Interceptors, and @AroundInvoke annotations to add a security interceptor.

          Security information is available through the org.jboss.security.SecurityAssociation singleton - you can determine Principal and Credential information from there.

          You can also determine specific (target, method, parameters) info from the InvocationContext and also generic information via getContextData()

          • 2. Re: Security proxy annotation?
            Paul Andrews Newbie

            Thanks for the reply. That's very useful. I also finally realized that I can inject the EJBContext into the interceptor and get the principal infor from there, though I note I can get more information from the SecurityAssociation.

            I'm not sure I need it, but can I get security domain information from within an standard EJB3 interceptor? I know I can get the value of the @SecurityDomain annotation on the target object, but what about the currently active security domain (if that makes sense)?