9 Replies Latest reply on May 19, 2006 12:13 PM by Richard Schuller

    Restricting access to datasources

    Richard Schuller Newbie

      Can I define a datasource that is only visible to my application's ejbs and not to other apps co-existing on the same server?

        • 2. Re: Restricting access to datasources
          Richard Schuller Newbie

          Great,

          Following your suggestion I have configured a stacked login module, but this way all the Active Directoryt users will be given access to the datasource.
          Is there a way to restrict it to a group, or I need to write a custom login module?

          <application-policy name = "AlloraDbRealm">

          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
          <module-option name="java.naming.provider.url">ldap://palm/</module-option>
          <module-option name="rolesCtxDN">cn=Users,dc=palm,dc=abc,dc=com</module-option>
          <module-option name="matchOnUserDN">false</module-option>
          <module-option name="principalDNSuffix">@palm.abc.com</module-option>
          <module-option name="uidAttributeID">sAMAccountName</module-option>
          <module-option name="roleAttributeID">memberOf</module-option>
          <module-option name="roleAttributeIsDN">true</module-option>
          </login-module>

          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
          <module-option name = "principal">sa</module-option>
          <module-option name = "userName">sa</module-option>
          <module-option name = "password"></module-option>
          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=AlloraDS</module-option>
          </login-module>

          </application-policy>

          • 3. Re: Restricting access to datasources
            daniel rodrigues Newbie

            I have same problem:

            Check if user (authenticated from AD) can lookup the datasource...
            I tried make use of many modules but can't get informations like what user is accessing the application server.


            Anyone can tell me the way?

            • 4. Re: Restricting access to datasources
              Richard Schuller Newbie

              Inside your EJB you can do something like:

              @Resource
               SessionContext ctx;
               public void getPrincipal () {
              ...
              Principal p = ctx.getCallerPrincipal();
              ..
               }


              • 5. Re: Restricting access to datasources
                Weston Price Newbie

                In your EJB, you can do a user-role mapping that only allows particular users from your AD to invoke those EJB(s). This is the caller identity that will be used when invoking your DS.

                Take a look at the J2EE security section in the spec for more information.

                • 6. Re: Restricting access to datasources
                  Richard Schuller Newbie

                  I am using the user-role mapping for my EJBs, however I would like to secure the datasource only (i.e. regardless if it's used by EJB's, standalone classes, servlets, etc). In other words being able to say that this datasource is only to be used by this role.

                  • 7. Re: Restricting access to datasources
                    Weston Price Newbie

                    That is, in essence, what you are doing. You reduce the visibility of the DataSource to only those roles that are allowed to invoke your EJB's. The datasource itself has no concept of secured invocation on it's own, being that it can only be invoked in the context of a managed operation (ie an operation from an EJB/Servlet). If a subject that is not not allowed to invoke an operation on an EJB attempts such an operation, it will not succeed.

                    Again, since you will not, by default, be able to use the DS outside of the container only EJB/Servlets will have access.

                    • 8. Re: Restricting access to datasources
                      Richard Schuller Newbie

                      How about other applications deployed in the same context? i.e. an EJB from another application accessing the DS? I agree that the DS has no concept of secured invokation, but it can be associated with a security domain that will control access to that DS (as per the post bellow)

                      http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfigJCALoginModule


                      The question is, how do you restrict access to a specific role? I am playing around with cascading LoginModules:

                      LoginModule1. login to AD
                      LoginModule2. login to custom LoginModule that accesses a secured by role EJB. If the ejb invokation is successful,
                      LoginModule3.ConfiguredIdentityLoginModule for the DS credentials

                      • 9. Re: Restricting access to datasources
                        Richard Schuller Newbie

                        The stacked approach does work, unfortunately after the connection pool is created, subsequent calls are getting the conection from the pool and the DS security policy is not invoked anymore. If the user creating the connection pool has the right credentials, subsequent getConnection() calls are ignored.