2 Replies Latest reply on Aug 27, 2006 3:02 AM by Slava Gorelik

    EJB 3.0 and Authorization

    Slava Gorelik Newbie

      I have ejb 3.0 bean:

      package org;

      import javax.annotation.security.DenyAll;
      import javax.annotation.security.RolesAllowed;
      import javax.ejb.Stateless;
      import javax.persistence.EntityManager;
      import javax.persistence.PersistenceContext;

      public class ProcessPaymentBean implements ProcessPaymentRemote{
      public ProcessPaymentBean () {
      int a= 1;

      @PersistenceContext(name = "Context")
      private EntityManager em;

      /* private void setEm(EntityManager em) {
      this.em = em;
      public int test1(int a) {
      int res = 0;
      if (em == null) {
      return 0;
      Provider prov = new Provider();

      try {
      catch (Exception e) {
      res = 2;
      res = 1;
      return res;

      and client that wants to access this bean:

      public class MyTest {
      public static void main(String[] args){
      EntityManager em = null;
      Context jndiContext = getInitialContext();
      ProcessPaymentRemote ref = (ProcessPaymentRemote)jndiContext.lookup(("ProcessPaymentBean/remote"));
      int res = ref.test1(1);

      int a =1;
      catch (Throwable e) {


      public static Context getInitialContext() throws NamingException{
      Properties p = new Properties();
      p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
      p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming;org.jnp.interfaces");
      p.put(Context.PROVIDER_URL, "jnp://localhost:1099");
      return new InitialContext( p );



      And, when i'm execuyting my client, there is no access execption is thrown. everything is executed like no @denyall defined.

      What i do wrong and what i need to configure, may be i missing something.

      Or may be i can download some Jboss 4.0.4 (Ejb 3.0) authorization example ?

      Thank You.

        • 1. Re: EJB 3.0 and Authorization
          Gary Cuozzo Newbie

          I think you are missing a @SecurityDomain annotation in your SLSB. It's a JBoss annotation iirc. I was just messing around with this type of thing a few weeks ago.

          You will also need to add/configure the domain in your login-config.xml file.


          • 2. Re: EJB 3.0 and Authorization
            Slava Gorelik Newbie

            Thank You. This solved the problem.

            May be you can help me with another question:

            I want to use client side certificate to authorize, my question is:
            If i use CertRolesLoginModule as a login module for my security domain. Who is responsibele to pass the certificate to the CertRolesLoginModule. I saw that certificate is passed in the javax.security.auth.login.password. But who does this ? And also , how can i use custom fileds in certificate to assgin role ? The defualt is "distinguished name" ?

            Thank You.