Howto use declarative ejb security with a standalone client?
sven-loe Feb 28, 2006 4:46 AMHello,
I have a standalone client that uses EJBs in a JBoss4 AS.
Client --> JBoss Beans
The connection works fine. But I need to provide security on the JBoss side. So I use declarative security for my session beans. The problem is that JBoss does not block unauthorized calls to my session beans.
My config:
I created the the roles.properties and users.properties files.
I added this to my login-config.xml:
<!-- EJB login configuration with property files -->
<application-policy name = "EJBLogin">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">users.properties</module-option>
<module-option name="rolesProperties">roles.properties</module-option>
<module-option name="roleGroupSeperator">.</module-option>
<module-option name="unauthenticatedIdentity">nobody</module-option>
</login-module>
</application-policy>
I have add these parameters to the InitialContext Constructor:
p.put(Context.SECURITY_PRINCIPAL, username);
p.put(Context.SECURITY_CREDENTIALS, passwd);
p.put(Context.SECURITY_PROTOCOL, protocol);
p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
InitialContext(p);
I have created this deployment descriptior:
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd" version="2.1">
<![CDATA[No Description.]]>
<display-name>Generated by XDoclet</display-name>
<enterprise-beans>
<!-- Session Beans -->
<![CDATA[Interface Bean for SAP Cats System]]>
<display-name>EJB SapInterface Bean</display-name>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
ejbsecdemo.SecDemoHome
ejbsecdemo.SecDemo
<local-home>ejbsecdemo.SecDemoLocalHome</local-home>
ejbsecdemo.SecDemoLocal
<ejb-class>ejbsecdemo.SecDemoBean</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>user</role-name>
<role-link>users</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>admins</role-link>
</security-role-ref>
<security-identity>
<use-caller-identity />
</security-identity>
<!--
To add session beans that you have deployment descriptor info for, add
a file to your XDoclet merge directory called session-beans.xml that contains
the markup for those beans.
-->
<!-- Entity Beans -->
<!--
To add entity beans that you have deployment descriptor info for, add
a file to your XDoclet merge directory called entity-beans.xml that contains
the markup for those beans.
-->
<!-- Message Driven Beans -->
<!--
To add message driven beans that you have deployment descriptor info for, add
a file to your XDoclet merge directory called message-driven-beans.xml that contains
the <message-driven></message-driven> markup for those beans.
-->
</enterprise-beans>
<!-- Relationships -->
<!-- Assembly Descriptor -->
<!--
To specify your own assembly descriptor info here, add a file to your
XDoclet merge directory called assembly-descriptor.xml that contains
the <assembly-descriptor></assembly-descriptor> markup.
-->
<assembly-descriptor >
<!--
To specify additional security-role elements, add a file in the merge
directory called ejb-security-roles.xml that contains them.
-->
<security-role>
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>user</role-name>
</security-role>
<security-role>
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>anonymous</role-name>
</security-role>
<security-role>
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>admin</role-name>
</security-role>
<!-- method permissions -->
<!--
To specify additional method-permission elements, add a file in the merge
directory called ejb-method-permissions.ent that contains them.
-->
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>user</role-name>
<role-name>admin</role-name>
<![CDATA[description not supported yet by ejbdoclet]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-name>*</method-name>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>anonymous</role-name>
<role-name>user</role-name>
<role-name>admin</role-name>
<![CDATA[Authenticate the User and set the role in the Container.]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Local</method-intf>
<method-name>authenticate</method-name>
<method-params>
<method-param>java.lang.String</method-param>
<method-param>java.lang.String</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>anonymous</role-name>
<role-name>user</role-name>
<role-name>admin</role-name>
<![CDATA[Authenticate the User and set the role in the Container.]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Remote</method-intf>
<method-name>authenticate</method-name>
<method-params>
<method-param>java.lang.String</method-param>
<method-param>java.lang.String</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>admin</role-name>
<![CDATA[Change Password]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Local</method-intf>
<method-name>change_passwd</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>admin</role-name>
<![CDATA[Change Password]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Remote</method-intf>
<method-name>change_passwd</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>user</role-name>
<role-name>admin</role-name>
<![CDATA[Get the square of a number.]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Local</method-intf>
<method-name>square</method-name>
<method-params>
<method-param>long</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>user</role-name>
<role-name>admin</role-name>
<![CDATA[Get the square of a number.]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Remote</method-intf>
<method-name>square</method-name>
<method-params>
<method-param>long</method-param>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>anonymous</role-name>
<![CDATA[The ejbCreate Method]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>LocalHome</method-intf>
<method-name>create</method-name>
<method-params>
</method-params>
</method-permission>
<method-permission >
<![CDATA[description not supported yet by ejbdoclet]]>
<role-name>anonymous</role-name>
<![CDATA[The ejbCreate Method]]>
<ejb-name>ejbsecdemo/SecDemo</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
<method-params>
</method-params>
</method-permission>
<!-- transactions -->
<!--
To specify additional container-transaction elements, add a file in the merge
directory called ejb-container-transactions.ent that contains them.
-->
<!-- finder transactions -->
<!-- message destinations -->
<!--
To specify additional message-destination elements, add a file in the merge
directory called ejb-message-destinations.ent that contains them.
-->
<!-- exclude list -->
<!--
To specify an exclude-list element, add a file in the merge directory
called ejb-exclude-list.xml that contains it.
-->
</assembly-descriptor>
</ejb-jar>
I believe I am missing something to authenticate my client and to enforce the access restrictions but I have no idea what. I am greatful for all tips.
Sven