1 Reply Latest reply on Feb 28, 2006 8:21 AM by j2ee_junkie

    Howto use declarative ejb security with a standalone client?

    sven-loe

      Hello,

      I have a standalone client that uses EJBs in a JBoss4 AS.

      Client --> JBoss Beans

      The connection works fine. But I need to provide security on the JBoss side. So I use declarative security for my session beans. The problem is that JBoss does not block unauthorized calls to my session beans.

      My config:

      I created the the roles.properties and users.properties files.

      I added this to my login-config.xml:

      <!-- EJB login configuration with property files -->
      <application-policy name = "EJBLogin">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      <module-option name="roleGroupSeperator">.</module-option>
      <module-option name="unauthenticatedIdentity">nobody</module-option>
      </login-module>

      </application-policy>

      I have add these parameters to the InitialContext Constructor:

      p.put(Context.SECURITY_PRINCIPAL, username);
      p.put(Context.SECURITY_CREDENTIALS, passwd);
      p.put(Context.SECURITY_PROTOCOL, protocol);
      p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
      InitialContext(p);

      I have created this deployment descriptior:

      <?xml version="1.0" encoding="UTF-8"?>

      <ejb-jar xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd" version="2.1">

      <![CDATA[No Description.]]>
      <display-name>Generated by XDoclet</display-name>

      <enterprise-beans>

      <!-- Session Beans -->

      <![CDATA[Interface Bean for SAP Cats System]]>
      <display-name>EJB SapInterface Bean</display-name>

      <ejb-name>ejbsecdemo/SecDemo</ejb-name>

      ejbsecdemo.SecDemoHome
      ejbsecdemo.SecDemo
      <local-home>ejbsecdemo.SecDemoLocalHome</local-home>
      ejbsecdemo.SecDemoLocal
      <ejb-class>ejbsecdemo.SecDemoBean</ejb-class>
      <session-type>Stateful</session-type>
      <transaction-type>Container</transaction-type>

      <security-role-ref>
      <role-name>user</role-name>
      <role-link>users</role-link>
      </security-role-ref>
      <security-role-ref>
      <role-name>admin</role-name>
      <role-link>admins</role-link>
      </security-role-ref>

      <security-identity>
      <use-caller-identity />
      </security-identity>



      <!--
      To add session beans that you have deployment descriptor info for, add
      a file to your XDoclet merge directory called session-beans.xml that contains
      the markup for those beans.
      -->

      <!-- Entity Beans -->
      <!--
      To add entity beans that you have deployment descriptor info for, add
      a file to your XDoclet merge directory called entity-beans.xml that contains
      the markup for those beans.
      -->

      <!-- Message Driven Beans -->
      <!--
      To add message driven beans that you have deployment descriptor info for, add
      a file to your XDoclet merge directory called message-driven-beans.xml that contains
      the <message-driven></message-driven> markup for those beans.
      -->

      </enterprise-beans>

      <!-- Relationships -->

      <!-- Assembly Descriptor -->
      <!--
      To specify your own assembly descriptor info here, add a file to your
      XDoclet merge directory called assembly-descriptor.xml that contains
      the <assembly-descriptor></assembly-descriptor> markup.
      -->

      <assembly-descriptor >
      <!--
      To specify additional security-role elements, add a file in the merge
      directory called ejb-security-roles.xml that contains them.
      -->
      <security-role>
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>user</role-name>
      </security-role>
      <security-role>
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>anonymous</role-name>
      </security-role>
      <security-role>
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>admin</role-name>
      </security-role>

      <!-- method permissions -->
      <!--
      To specify additional method-permission elements, add a file in the merge
      directory called ejb-method-permissions.ent that contains them.
      -->
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>user</role-name>
      <role-name>admin</role-name>

      <![CDATA[description not supported yet by ejbdoclet]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>anonymous</role-name>
      <role-name>user</role-name>
      <role-name>admin</role-name>

      <![CDATA[Authenticate the User and set the role in the Container.]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Local</method-intf>
      <method-name>authenticate</method-name>
      <method-params>
      <method-param>java.lang.String</method-param>
      <method-param>java.lang.String</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>anonymous</role-name>
      <role-name>user</role-name>
      <role-name>admin</role-name>

      <![CDATA[Authenticate the User and set the role in the Container.]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>authenticate</method-name>
      <method-params>
      <method-param>java.lang.String</method-param>
      <method-param>java.lang.String</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>admin</role-name>

      <![CDATA[Change Password]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Local</method-intf>
      <method-name>change_passwd</method-name>
      <method-params>
      <method-param>java.lang.String</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>admin</role-name>

      <![CDATA[Change Password]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>change_passwd</method-name>
      <method-params>
      <method-param>java.lang.String</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>user</role-name>
      <role-name>admin</role-name>

      <![CDATA[Get the square of a number.]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Local</method-intf>
      <method-name>square</method-name>
      <method-params>
      <method-param>long</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>user</role-name>
      <role-name>admin</role-name>

      <![CDATA[Get the square of a number.]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>square</method-name>
      <method-params>
      <method-param>long</method-param>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>anonymous</role-name>

      <![CDATA[The ejbCreate Method]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>LocalHome</method-intf>
      <method-name>create</method-name>
      <method-params>
      </method-params>

      </method-permission>
      <method-permission >
      <![CDATA[description not supported yet by ejbdoclet]]>
      <role-name>anonymous</role-name>

      <![CDATA[The ejbCreate Method]]>
      <ejb-name>ejbsecdemo/SecDemo</ejb-name>
      <method-intf>Home</method-intf>
      <method-name>create</method-name>
      <method-params>
      </method-params>

      </method-permission>

      <!-- transactions -->
      <!--
      To specify additional container-transaction elements, add a file in the merge
      directory called ejb-container-transactions.ent that contains them.
      -->

      <!-- finder transactions -->

      <!-- message destinations -->
      <!--
      To specify additional message-destination elements, add a file in the merge
      directory called ejb-message-destinations.ent that contains them.
      -->

      <!-- exclude list -->
      <!--
      To specify an exclude-list element, add a file in the merge directory
      called ejb-exclude-list.xml that contains it.
      -->
      </assembly-descriptor>

      </ejb-jar>

      I believe I am missing something to authenticate my client and to enforce the access restrictions but I have no idea what. I am greatful for all tips.

      Sven