3 Replies Latest reply on Sep 6, 2005 10:40 AM by jaikiran pai

    Startup servlet invoking Secured EJB

    jaikiran pai Master

      Hi,
      I have a startup servlet which is invoking an secured EJB. The bean can be invoked only by some specified roles. I am able to invoke the method the bean without any exceptions.

      My question is, what role does the startup servlet use for invoking the bean, since no user has yet logged in? How is it able to invoke the method on the bean?

      Thank you

        • 1. Re: Startup servlet invoking Secured EJB
          jaikiran pai Master

          Is this a FAQ, or a silly question?

          • 2. Re: Startup servlet invoking Secured EJB
            jaikiran pai Master

            After debugging the jboss code, i found that the reason why the servlet is able to invoke the method on bean is because, somehow it is able to get the right role, which is required by the bean.

            I put a breakpoint in the OILServerILService at the following line:

            case OILConstants.AUTHENTICATE:
             result = server.authenticate((String)in.readObject(), (String)in.readObject());
             break;

            Also, i placed a breakpoint in SecurityManager class:
            public String authenticate(String user, String password) throws JMSException

            The value that gets passed on to the method is the user name and password(in my case "admin","adminPassword"). The role corresponding to "admin" has the privilege to invoke the method on bean. Hence i am able to access the bean.

            But, my question still remains as to how and where is this username and password obtained, to be passed on to the SecurityManager, since i havent mentioned any of these as parameters to the startup servlet.

            Can anyone please answer this. I have been trying to figure this out for the past few days.

            Thank you.

            • 3. Re: Startup servlet invoking Secured EJB
              jaikiran pai Master

              And here's an extract from the web.xml file:



              <servlet>
               <servlet-name>AppStartupServlet</servlet-name>
               <servlet-class>com.app.servlet.StartupServlet</servlet-class>
               <load-on-startup>1</load-on-startup>
               </servlet>
              
              
               <security-constraint>
               <web-resource-collection>
               <web-resource-name>My app</web-resource-name>
               <url-pattern>/jsp/*</url-pattern>
               <url-pattern>*.do</url-pattern>
               <url-pattern>*.jsp</url-pattern>
               <url-pattern>/servlet/*</url-pattern>
               <url-pattern>/servlet/DisplayChart</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
               </web-resource-collection>
               <auth-constraint>
               <role-name>dev</role-name>
               <role-name>admin</role-name>
               <role-name>user</role-name>
               </auth-constraint>
               </security-constraint>
              
               <login-config>
               <auth-method>BASIC</auth-method>
               <realm-name>JBoss HTTP Invoker</realm-name>
               </login-config>
               <security-role>
               <role-name>dev</role-name>
               </security-role>
               <security-role>
               <role-name>admin</role-name>
               </security-role>
               <security-role>
               <role-name>tapuser</role-name>
               </security-role>