4 Replies Latest reply on Sep 4, 2007 9:32 PM by LeQuoc Thai

    How to secure beans ?

    LeQuoc Thai Novice

      Hi all!
      I use

      jboss-4.0.5.GA, EJB3.0, Windows XP SP2.

      If the stranger get my beans and paste his "deploy" folder on his machine -->> all things are ok (mean is bean will deployed !)
      Jboss has support some options to me can set up to the stranger can't deploy my beans if he has it ?.
      I have a way that sign on two file ejb-jar.xml and jboss.xml on my bean, then package my bean (contain this two files) to jar file. Have some ideal ?
      If can, show me some documents. Thanks !

        • 1. Re: How to secure beans ?
          Peter Johnson Master

          I assume that you are asking how to restrict access to methods in EJB 3 session beans. To do this, you need to do two things.

          First, secure your EJB. To do this, use the annotations @SecurityDomain on the class and @PermitAll and @RolesAllowed on the methods, or use the XML configuration file equivalents. Any EJB 3 book should tell you how to do this.

          Second, define the security domain within JBoss AS by editing the server/xxx/conf/login-conf.xml file. You can read about this at http://docs.jboss.com/jbossas/guides/j2eeguide/r2/en/html_single/#ch8.chapter

          • 2. Re: How to secure beans ?
            LeQuoc Thai Novice

            Hi !

            I declared SecurityDomain in XML configuration file. But my problem is: If the stranger has my bean. And he can extract it, and see XML configuration file and know SecurityDomain (and he can edit file login-config.xml on machine). How way to set he can't deploy my bean on his machine ?

            Thanks !

            • 3. Re: How to secure beans ?
              Peter Johnson Master

              I am not sure that I understand your question.

              If the "stranger" has access to your configuration files and can modify them, then there is no way to keep the stranger out. In other words, you have no security.

              • 4. Re: How to secure beans ?
                LeQuoc Thai Novice

                1. I declared SecurityDomain (ex: ClientDomain) inside jboss.xml file. And then, I package my bean to jar file (ex: myBean.jar).
                2. The Stranger get it (myBean.jar), he can extract it. And he can see all things in jboss.xml file. (Here, I know SecurityDomain that I declare).
                I understand your mind! And it's very useful. I also think that I the Stranger can access JBoss Server (and can know about login-config.xml) --> my beans are not security.
                Thanks sir!