2 Replies Latest reply on Apr 9, 2008 8:13 AM by Alexander Degenstein

    JBOSS 4.2 + Spring Security on EJB3

    Carsten Lichy-Bittendorf Newbie

      I like to use a spring ACLProvider on an EJB.
      I have a classic EJB3 implementation and started to secure this using acegi.
      I'm getting it successfilly deployed, but the security seems to be not activ.

      Is there anybody, who has an working example for me, or can share experiences?

      CU, Carsten

        • 1. Re: JBOSS 4.2 + Spring Security on EJB3
          Ragav Gomatam Novice

          Correct me if I am wrong, but I believe ejb's are still secured by containers. You can set up a declarative security policy with use of xml tags in the ejb-jar.xml for the container or roll your own with JAAS. If you are using JAAS then acegi security is out of the question. If you are using xml tag based security in the web.xml/jboss-web.xml, then the security context is propagated to the ejb container by jboss. In this case too acegi security is out.

          Cut to the chase, acegi cannot be used for ejb's. It is a filter based HTTP protocol authorization/authentication mechanism. Good for web resources & ensures web container independence. For ejb's you got to rely on container for security & as I said before containers provide 2 ways to secure ejb's ( xml tags based & Jaas based ) ...

          • 2. Re: JBOSS 4.2 + Spring Security on EJB3
            Alexander Degenstein Newbie

            in my case i have the same requirements, i have an ejb3 container (Jboss 4.2) an a classic EJB3 implemetation. I want to secure the methods of my EJB's by Spring Security. Furthermore i have a rich client application which acces the ejb components with JNDI lookups. So I can't use filter based HTTP protocol autorization/authentication.
            A solution for using Spring Security without web stuff u can find here:

            But that's not everything. I have the problem that i don't know how i can secure the methods within the context of a JNDI lookup. Actualy the Spring IoC Container have to handle the MethodSecurityInterceptor aspects. But I dont' know how i could configure it in the way to stick it together...do anybody have similar requirements?