3 Replies Latest reply on Apr 5, 2006 1:52 PM by Scott Stark

    SecurityIncerceptor, EJB 3.0 RC5

    Jonathan Beer Newbie

      Hi,

      I am using JBoss AS 4.0.3 SP1, with EJB3.0-RC5, and am fairly new to JBoss/security.

      I am trying to create a security interceptor to intercept all calls made to any EJB and do some logging (who's trying to call what methods).

      I have tried to implement the org.jboss.security.SecurityProxy interface, however, this doesn't seem to jive with EJB3.0. For one, it requires the javax.ejb.EJBContext interface (setEJBContext), which is not in the javax.ejb package (since I'm using EJB3.0-RC5), and I don't see it bound in the JNDI.

      I feel like I'm barking up the wrong tree. Could anybody shed some light/insight into my problem? Should I be trying to implement the SecurityProxy or am I going about this the wrong way?

      Thank you,
      Jonathan

        • 1. Re: SecurityIncerceptor, EJB 3.0 RC5
          Alessandro Oliveira Newbie

          I created a TracingInterceptor with the code below:

          
          public class TracingInterceptor {
          
           @Resource SessionContext sessionCtx;
          
           @AroundInvoke
           public Object log(InvocationContext invocationCtx) throws Exception {
           Logger log = Logger.getLogger(invocationCtx.getBean().getClass());
          
           long start = System.currentTimeMillis();
           try {
           return invocationCtx.proceed();
           } catch(Exception e) {
           log.error("Intercepted Exception",e);
           throw e;
           } finally {
           Principal callerPrincipal = sessionCtx.getCallerPrincipal();
           long time = System.currentTimeMillis() - start;
           log.info(callerPrincipal.getName()+": "+invocationCtx.getMethod().getName() + "() " + time + "ms");
           }
           }
          }
          


          And in my EJB I have:

          @Stateless
          @Interceptors({TracingInterceptor.class})
          @Local(ContaMgt.class)
          public class ContaMgrBean implements ContaMgt {
          
           @PersistenceContext() EntityManager manager;
          
           @RolesAllowed({"administrator","user"})
           public ContaDTO buscaConta(Long exercicioId, String contaCodigo) {
           ContaAbstract conta = (ContaAbstract)manager
           .createNamedQuery("ContaAbstract.buscaPorExercicioIdContaCodigo")
           .setParameter("exercicioId",exercicioId)
           .setParameter("codigo",contaCodigo)
           .getSingleResult();
          
           return DTOHelper.makeContaDTO(conta);
           }
          


          I don't know if this is the best solution, but it worked for me.

          good luck,

          Alessandro Oliveira
          Brazil

          • 2. Re: SecurityIncerceptor, EJB 3.0 RC5
            Jonathan Beer Newbie

            Thanks for your response Alessandro, but it's not quite what I'm looking for. I've already successfully created an EJB Interceptor (I get who is actually calling that bean). What I'm trying to do is find out who is TRYING to call into that bean, ie/ I need to get the failed attempts too -- the ones that are not authorized (and therefore don't get to the point where they're invoking the bean).

            So I'm still searching for an answer, if anybody's got ideas.

            • 3. Re: SecurityIncerceptor, EJB 3.0 RC5
              Scott Stark Master

              Create an aop interceptor on the ejb3 container.