8 Replies Latest reply on Sep 20, 2003 11:27 AM by Juha Lindfors

    Security "how to" doc

    lucrussell Newbie

      Hi all,
      I've was lurking on this list quite heavily a while ago and just wanted to say thanks for all the help ... I wrote a short doc based on my experience implementing security on JBoss - it covers creating a login page, protecting EJB methods with declarative security, building a custom login module, and also some specific stuff to do with JNDI and LDAP. I hope this is useful for someone... also please let me know if I've done anything completely stupid.
      cheers
      Luc

        • 1. Re: Security "how to" doc
          Juha Lindfors Master

          Please post this to the FAQ forum where it will be better preserved.

          -- Juha

          • 2. Re: Security "how to" doc
            Joshua Davis Expert

            I found the example useful. A few relatively minor comments:

            * First, the whole thing is well documented and easy to navigate. WELL DONE!

            * There is a dependency (static linkage) between DAOFactory and LdapDAOFactory. It might be cleaner to replace that with a dynamic linkage.

            * The password encryption seems like a one way hash (not decryptable), yet the names of the class that does this is EncryptUtils which implies that this is somehow reversable. Does your example indicate this somewhere? Maybe I missed it.

            * Are the *TO objects implementing the value object J2EE pattern? If so, why are they called 'TO' rather than say, 'VO'?

            * The EJB implementation declares a Log4J logger, yet it uses System.out.println(). Why?

            • 3. Re: Security "how to" doc
              lucrussell Newbie

              Thanks very much for these comments, I'm glad you found the article useful...

              * It would be better to replace the static linkage between the factory classes with some kind of dynamic lookup, maybe from a properties file or something - I think I might have mentioned this in the text of the article somewhere.

              * You are correct, the password encryption here is a one-way hash - the main reason for naming this class EncryptUtils was to allow adding other methods such as encryptMD5, etc.

              * The more recent J2EE patterns documentation refers to a Transfer Objects pattern rather than the previous Value Object pattern, hence the *TO designation (http://java.sun.com/blueprints/corej2eepatterns/Patterns/TransferObject.html)

              * Silly mistake :)

              cheers
              Luc

              • 4. Re: Security "how to" doc
                Joshua Davis Expert

                I am considering making a similar "how to" doc for RDBMS based security, and your example has given me some great ideas.

                * I think the 'Abstract Factory' pattern is what could be used for the dynamic lookup. Although I might not have gotten the name of it exactly right (see rant).

                * Transfer Objects. Wow, okay... I had not heard of that. Thanks for the info!


                Makes you wonder whether they are just renaming things to make it seem like this is all something new. The Sun J2EE patterns are starting to resemble technology made by commercial software companies (that I used to work for, who shall remain nameless), which consisted purely of renaming things in a confusing manner.

                public class FlyweightMemoValueTransferSerializeableBeanThingamajig implements ....

                :)

                • 5. Re: Security "how to" doc
                  sys user Master

                  Luc,

                  Thanks for the excellent docs. I was able to get it working in jboss 3.2, with one exception:

                  After a successful authentication by "lrussell" , I get a page which has two links, "list users" and "secret..". When I click on "list users" I get a Null Pointer exception.


                  Looking under the hood, I find that the username/principal being passed to the EJBs is null, even though I have a valid session in the "web" layer.

                  So how do you make the username propogate from the "web" layer to the "ejbs" ?

                  Thanks
                  --
                  Sanjay

                  • 6. Re: Security "how to" doc
                    Joshua Davis Expert

                    > So how do you make the username propogate from the "web" layer to the "ejbs" ?

                    This happens because the same JAAS security context is being used by both "layers" (see JBoss docos for a more detailed explanation).

                    • 7. Re: Security "how to" doc
                      lucrussell Newbie

                      > This happens because the same JAAS security context is being used by both "layers"

                      Yes, so it might be worth checking that you have a line like this in both your jboss-web.xml and jboss.xml files:

                      <security-domain>java:/jaas/security-example</security-domain>

                      • 8. Re: Security "how to" doc
                        Juha Lindfors Master

                        Now accessible through the FAQ forum.

                        -- Juha