3 Replies Latest reply on Dec 20, 2004 5:08 AM by Alexander

    I want to secure my EJB components used by remote machines.

    min-changcha Newbie

      Hi all

      I am using JBoss 3.2.5 and jdk 1.4.
      I am planning to service ejb components from ways as ASP(Application Service Provider) or Bean Provider(mentioned from EJB specification doc)

      If I implement such a service, My components may be called by many clients(remote marchines) that want to use services.

      But, I encountered a problem. It is how to secure my components.
      If I don`t secure my components, any clients can invoke my all components.

      I read many document supported by JBOSS and SUN but I can`t find a way to solve my problem.

      Please help me.

      p.s I am a korean, so my english may be fool.

        • 1. Re: I want to secure my EJB components used by remote machin
          Alexander Newbie

          Hello.

          my personal opinion:

          From the position of the bean provider ("application component provider"), and forgetting about instance-based access control, you should (in general case):
          1) extract the list of all use cases, where you beans are going to be used;
          2) generalize the list of correspondent actors to the set of roles;
          3) use these roles for setting permissions of beans/methods in ejb-jar.xml deployment descriptor;
          4) optionally, you can use this roles inside bean methods code for security or other goals.

          From the position of ASP ("application assembler" and "application deployer") you should (in general case):
          1) configure application server security infrastructure according your requirements;
          2) map roles from the ejb-jar.xml to real roles in the security domain of the application server, and put this mapping information into the jboss.xml deployment descriptor;
          3) compose components to application;
          4) deploy and test the application;
          5) ... etc.

          Alexander

          • 2. Re: I want to secure my EJB components used by remote machin
            min-changcha Newbie

            Hi Alexander.
            Thanks for your opinion.

            However I wanted detail solution. :-)
            To solve this problem, I performed below steps.

            1) I made a security domain.(login-config.xml)

            <application-policy name = "Extra">

            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
            flag = "required">
            <!--<module-option name = "unauthenticatedIdentity">guest</module-option>-->
            <module-option name = "dsJndiName">java:/ExtraDS</module-option>
            <module-option name = "principalsQuery">SELECT PW FROM EJB_USER WHERE ID=?</module-option>
            <module-option name = "rolesQuery">SELECT ROLE, 'ROLES' FROM EJB_ROLE WHERE ID=?</module-option>
            </login-module>

            </application-policy>


            2) I created table for roles and users and put corresponding informations with my environment.

            3) I set security domain(jboss.xml)

            <security-domain>java:/jaas/Extra</security-domain>

            4) I edited a ejb.jar

            <assembly-descriptor >

            <security-role>
            <role-name>MyRole</role-name>
            </security-role>

            <method-permission>
            <role-name>MyRole</role-name>

            <ejb-name>FrontSample</ejb-name>
            <method-name>*</method-name>


            <ejb-name>Sample</ejb-name>
            <method-name>*</method-name>

            </method-permission>
            </assembly-descriptor>


            ...
            <security-identity><use-caller-identity/></security-identity>
            <security-role-ref>
            <role-name>MyRole</role-name>
            </security-role-ref>



            ...
            <security-role-ref>
            <role-name>MyRole</role-name>
            </security-role-ref>


            5) My remote client code is :

            lookupProp.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
            lookupProp.put(Context.PROVIDER_URL, "jnp://" + prop.get("SERVER_IP") + ":" + prop.get("LOOKUP_PORT"));
            lookupProp.put(Context.SECURITY_PRINCIPAL, "admin");
            lookupProp.put(Context.SECURITY_CREDENTIALS, "admin");
            ctx = new InitialContext(lookupProp);
            ... code for lookup


            6) Finally, A exception message(when called create() method) is :

            java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
            java.rmi.ServerException: EJBException:; nested exception is:
            javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
            Authentication exception, principal=null



            Now, I have a question. It is how to set id and password authenticating identity.
            Above code(no 5) uses Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS to set id and password but as result, such approach seems invalid. Otherwise I may use LoginContext to authenticate indentity but It also seems to not support function for remote server.

            How can I solve this problem?
            Please help me.

            • 3. Re: I want to secure my EJB components used by remote machin
              Alexander Newbie

              Hello.

              Ability to get access to the JNDI tree does not mean, that your client application has pass the JAAS login (and Subject and SecurityAssociation are set correctly). The exception you receive (most probably) means that your client application does not pass the JAAS login to the security domain.

              Min-chang Cha wrote:
              How can I solve this problem?

              explicitly login to the server security domain by using JAAS
              look into documentationhttp://www.jboss.org/wiki/Wiki.jsp?page=JBossSX

              Alexander