3 Replies Latest reply on Sep 6, 2005 10:41 AM by jaikiran

    Startup servlet invoking Secured EJB

    jaikiran
    jaikiran Aug 26, 2005 3:34 AM

      Hi,
      I have a startup servlet which is invoking an secured EJB. I am able to invoke the method the bean without any exceptions.

      My question is, what role does the startup servlet use for invoking the bean, since no user has yet logged in? How is it able to invoke the method on the bean, which is secured?

      Thank you

      • 2149 Views
      • Tags:
        • 1. Re: Startup servlet invoking Secured EJB
          jaikiran
          jaikiran Aug 29, 2005 5:02 AM (in response to jaikiran)

          Is this a FAQ, or a silly question?

            • Actions
          • 2. Re: Startup servlet invoking Secured EJB
            jaikiran
            jaikiran Sep 6, 2005 9:04 AM (in response to jaikiran)

            After debugging the jboss code, i found that the reason why the servlet is able to invoke the method on bean is because, somehow it is able to get the right role, which is required by the bean.

            I put a breakpoint in the OILServerILService at the following line:

            case OILConstants.AUTHENTICATE:
 result = server.authenticate((String)in.readObject(), (String)in.readObject());
 break;

            Also, i placed a breakpoint in SecurityManager class: 
            public String authenticate(String user, String password) throws JMSException

            The value that gets passed on to the method is the user name and password(in my case "admin","adminPassword"). The role corresponding to "admin" has the privilege to invoke the method on bean. Hence i am able to access the bean.

            But, my question still remains as to how and where is this username and password obtained, to be passed on to the SecurityManager, since i havent mentioned any of these as parameters to the startup servlet.

            Can anyone please answer this. I have been trying to figure this out for the past few days.

            Thank you.

              • Actions
            • 3. Re: Startup servlet invoking Secured EJB
              jaikiran
              jaikiran Sep 6, 2005 10:41 AM (in response to jaikiran)

              And here's an extract from the web.xml file:



              <servlet>
 <servlet-name>AppStartupServlet</servlet-name>
 <servlet-class>com.app.servlet.StartupServlet</servlet-class>
 <load-on-startup>1</load-on-startup>
 </servlet>


 <security-constraint>
 <web-resource-collection>
 <web-resource-name>My app</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <url-pattern>*.do</url-pattern>
 <url-pattern>*.jsp</url-pattern>
 <url-pattern>/servlet/*</url-pattern>
 <url-pattern>/servlet/DisplayChart</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>dev</role-name>
 <role-name>admin</role-name>
 <role-name>user</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss HTTP Invoker</realm-name>
 </login-config>
 <security-role>
 <role-name>dev</role-name>
 </security-role>
 <security-role>
 <role-name>admin</role-name>
 </security-role>
 <security-role>
 <role-name>tapuser</role-name>
 </security-role>


                • Actions