EJB security

Similar Messages

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Using the Audit Provider to log ejb security events

  I would like use the audit provider to log security events for ejbs that use container managed security. Specifically I want to record the name of the ejb being accessed, the method the user is accessing, the time of the event and the user name of the user who is accessing the ejb.So far I have created an ejb that has method-permissions defined in the ejb-xml file. I have a number of users with different levels of permissions and the security is working.I have also installed the example Audit class that is shipped with weblogic.I am getting Audit indo in the log file, but I do not get any ejb info being logged.Is it possible to use the Audit provider that weblogic provides to audit ejb security events? Do I need to do something special to make this work?Please help, I can not find any documentation about what the audit provider logs.

  Actually I never tried to login into the provider, but I understand you just need the keys.
  Try this code, it works for me (some pieces are missing, but this is the core)
          Provider provider=null;
       provider=new SunPKCS11(providerFile);   // providerFile is a String
       Security.addProvider(provider);
       KeyStore store=KeyStore.getInstance("PKCS11");
          char[] pin=pinAsString.toCharArray();   
       store.load(null, pin);
          PrivateKey key=(PrivateKey)store.getKey(alias, null);
          Certificate[] chain=store.getCertificateChain(alias);
          .....Using this approach I managed to read all the information from the provider (aliases, certificates, ...). I'm not sure that's what you needed, but I hope it helped.

• Wl5.1 ejb security checking is backwards

  In 5.1 for ejb security checking you seem to check for users first,
  then groups.
  ie:
  at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:1057)
  at
  weblogic.ejb.internal.SecurityRoleMapping.lookupPrincipal(SecurityRoleeMapping.java:236)
  I dont have a code, but from the stack I can see you first calling
  getUser, if its null, then calling getGroup.
  I think in 4.51 you checked groups first (I dont have the stack since
  its long gone, but I didnt have the sql im getting generated in 4.5.1).
  Since most people map ejbs to groups (mapping directly to users is
  inflexible), I think it would make sense from a performance perspective
  to check groups first, then look for users.
  Also, for compatibility sake, I would think such a change should be
  noted in the release notes.
  let me know if you agree, Ill open a case with support.
  -Joel

  In 5.1 for ejb security checking you seem to check for users first,
  then groups.
  ie:
  at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:1057)
  at
  weblogic.ejb.internal.SecurityRoleMapping.lookupPrincipal(SecurityRoleeMapping.java:236)
  I dont have a code, but from the stack I can see you first calling
  getUser, if its null, then calling getGroup.
  I think in 4.51 you checked groups first (I dont have the stack since
  its long gone, but I didnt have the sql im getting generated in 4.5.1).
  Since most people map ejbs to groups (mapping directly to users is
  inflexible), I think it would make sense from a performance perspective
  to check groups first, then look for users.
  Also, for compatibility sake, I would think such a change should be
  noted in the release notes.
  let me know if you agree, Ill open a case with support.
  -Joel

• Retrieve ejb security roles list

  Hi,
  in a EJB stateless session bean is it possible to retrieve, by EJB context, the list of configured roles related to the current user?
  Thanks in advance.
  bye
  Rob

  Based on the link given here is the xml. This XML already exists in the application and has such structure
  <security-permission>
     <security-role-map>
        <role-name>developer</role-name>
        <server-role-name>role1</server-role-name>
        <server-role-name>role2</server-role-name>
        <server-role-name>role3</server-role-name>
        <server-role-name>role4</server-role-name>
        <server-role-name>role5</server-role-name>
     </security-role-map>
  </security-permission>
  My question is, which of the following annotation will work:
  @RolesAllowed(value=)
  or
  @RolesAllowed(value=)  //currently I am using this.
  Edited by: Arpit Goyal on Feb 27, 2009 4:39 AM

• EJB security roles

  Hello,
  I am using JDeveloper 3.2.2 to deploy EJBs to an 8.1.7 DB. Could someone point me in the direction of some documentation that would explain the concept of security roles and users for EJB methods? Do the users have to map to real users in the DB or how are they handled etc.
  Thanks in advance,
  - Nik

  Based on the link given here is the xml. This XML already exists in the application and has such structure
  <security-permission>
     <security-role-map>
        <role-name>developer</role-name>
        <server-role-name>role1</server-role-name>
        <server-role-name>role2</server-role-name>
        <server-role-name>role3</server-role-name>
        <server-role-name>role4</server-role-name>
        <server-role-name>role5</server-role-name>
     </security-role-map>
  </security-permission>
  My question is, which of the following annotation will work:
  @RolesAllowed(value=)
  or
  @RolesAllowed(value=)  //currently I am using this.
  Edited by: Arpit Goyal on Feb 27, 2009 4:39 AM

• EJB Security and RDBMSRealm

  Greetings,
  I have implemented a version of RDBMSRealm and it works
  fairly well. Because we have reasonably complex rules for
  creating users, authenticating them, etc. we choose to develop
  a SessionBean that handles adding, changing, deleting users, etc.
  Also, I have a method to log onto the realm that first goes through some complex rules, and finally if they pass, uses the
  ServletAuthentication class to create context and authenticate
  with the realm.
  Trying to access the SessionBean is now throwing a security
  exception indicating that there is no permission on the "logon"
  method. But our EJB deployment descriptors don't specify any
  permissions. At the point of calling "logon" we haven't been
  authenticated to WebLogic.
  1. Is this going to be a catch-22: we can't get authenticated because we can't use the method and we can't use
  the method because we're not authenticated?
  2. If that is the case the logon method needs to be moved
  from the SessionBean to an ordinary class?
  Many thanks,
  Jeff.

  1)yes
  2)yes
  This is why you are advised not to use EJBs in custom realms - the catch 22
  you spoke of (the RDBMSRealm uses a delegate pool rather than a connection
  pool for similar reasons) - You can't set up the realm without the EJB, and
  you can't access the EJB without being authorised, and you can't be
  authorised because the realm hasn't been setb up yet
  terry
  Jeff Hamilton <[email protected]> wrote in message
  news:3a1ecabe$[email protected]..
  >
  Greetings,
  I have implemented a version of RDBMSRealm and it works
  fairly well. Because we have reasonably complex rules for
  creating users, authenticating them, etc. we choose to develop
  a SessionBean that handles adding, changing, deleting users, etc.
  Also, I have a method to log onto the realm that first goes through somecomplex rules, and finally if they pass, uses the
  ServletAuthentication class to create context and authenticate
  with the realm.
  Trying to access the SessionBean is now throwing a security
  exception indicating that there is no permission on the "logon"
  method. But our EJB deployment descriptors don't specify any
  permissions. At the point of calling "logon" we haven't been
  authenticated to WebLogic.
  1. Is this going to be a catch-22: we can't get authenticated becausewe can't use the method and we can't use
  the method because we're not authenticated?
  2. If that is the case the logon method needs to be moved
  from the SessionBean to an ordinary class?
  Many thanks,
  Jeff.

• EJB Security Volation when access WSRP remote portlet

  I have set up a portal server using Workshop 8.1.3 and made it a producer of an remote portlet. I turn off the registration by setting it in wsrp-producer-config (<registration required="false" secure="false"/>). I have tested this remote portlet by accessing it from another Weblogic portal site.
  What I really want to do is to use this remote portlet on a MS sharepoint portal site (with WSRP Web Part Toolkit for sharepoint, http://www.gotdotnet.com/workspaces/workspace.aspx?id=2e3d8a57-ec9f-4d16-9a81-a395679d6392). I think I can successfully connected to the weblogic portal site, but I get a security volation error:
  Error: [EJB:010160]Security Violation: User: '' has insufficient permission to access EJB: type=, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.
  Can any one tell me what I need to do to pass this security volation??
  Thank you very much.

  Thanks Subbu, this is what I am looking for, a way to get the requests and responses. I got the request/response from SOAP monitor. However I can't tell why it's not working (why the consumer doesn't have insufficient access). From the registration and service description, I can't tell anything wrong as they don't require any addition information for the consumer. I'll paste all the SOAP message between my consumer/producer and please let me know if you notice anything wrong. The SOAP messages are in order. Thanks so much for your help.
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
  <register xmlns="urn:oasis:names:tc:wsrp:v1:types">
  <consumerName>wsrpConsumer</consumerName>
  <consumerAgent>wsrpConsumer.1.1</consumerAgent>
  <methodGetSupported>false</methodGetSupported>
  </register>
  </soap:Body>
  </soap:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <urn:registerResponse xmlns:urn="urn:oasis:names:tc:wsrp:v1:types">
  <urn:registrationHandle>28011</urn:registrationHandle>
  </urn:registerResponse>
  </soapenv:Body>
  </soapenv:Envelope>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
  <getServiceDescription xmlns="urn:oasis:names:tc:wsrp:v1:types">
  <registrationContext>
  <registrationHandle>28011</registrationHandle>
  </registrationContext>
  </getServiceDescription>
  </soap:Body>
  </soap:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <urn:getServiceDescriptionResponse xmlns:urn="urn:oasis:names:tc:wsrp:v1:types"> <urn:requiresRegistration>true</urn:requiresRegistration>
  <urn:offeredPortlets> <urn:portletHandle>portlet_1</urn:portletHandle>
  <urn:markupTypes>
  <urn:mimeType>text/html</urn:mimeType>
  <urn:modes>wsrp:view</urn:modes>
  <urn:windowStates>wsrp:normal</urn:windowStates>
  <urn:locales>en</urn:locales>
  <urn:locales>en-US</urn:locales>
  </urn:markupTypes>
  <urn:groupID>WSRPDemo</urn:groupID>
  <urn:description xml:lang="en-US">
  <urn:value/>
  </urn:description>
  <urn:shortTitle xml:lang="en-US">
  <urn:value>pageFlowPortlet</urn:value>
  </urn:shortTitle>
  <urn:title xml:lang="en-US">
  <urn:value>pageFlowPortlet</urn:value>
  </urn:title>
  <urn:displayName xml:lang="en-US">
  <urn:value>pageFlowPortlet</urn:value>
  </urn:displayName>
  <urn:usesMethodGet>true</urn:usesMethodGet>
  <urn:templatesStoredInSession>true</urn:templatesStoredInSession> <urn:doesUrlTemplateProcessing>true</urn:doesUrlTemplateProcessing>
  </urn:offeredPortlets> <urn:requiresInitCookie>perGroup</urn:requiresInitCookie>
  <urn:registrationPropertyDescription/>
  <urn:locales>en</urn:locales>
  <urn:locales>en-US</urn:locales>
  </urn:getServiceDescriptionResponse>
  </soapenv:Body>
  </soapenv:Envelope>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
  <clonePortlet xmlns="urn:oasis:names:tc:wsrp:v1:types">
  <registrationContext>
  <registrationHandle>28011</registrationHandle>
  </registrationContext>
  <portletContext>
  <portletHandle>portlet_1</portletHandle>
  </portletContext>
  <userContext>
  <userContextKey>wsrpConsumer</userContextKey>
  </userContext>
  </clonePortlet>
  </soap:Body>
  </soap:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault xmlns:urn="urn:oasis:names:tc:wsrp:v1:types">
  <faultcode>urn:OperationFailed</faultcode>
  <faultstring>[EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.</faultstring>
  <detail>
  <urn:OperationFailed/>
  <urn1:FaultDetail xmlns:urn1="urn:bea:wsrp:wlp:v1:types">
  <urn1:created>2004-09-27T11:37:09.648-04:00</urn1:created>
  <urn1:trace>com.bea.wsrp.faults.OperationFailedException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.
       at com.bea.wsrp.producer.adapter.customization.PortalCustomizationServiceAdapter.clonePortlet(PortalCustomizationServiceAdapter.java:264)
       at com.bea.wsrp.producer.handlers.management.PortletManagementServiceHandler.doClonePortlet(PortletManagementServiceHandler.java:247)
       at com.bea.wsrp.producer.handlers.management.PortletManagementServiceHandler.doService(PortletManagementServiceHandler.java:152)
       at com.bea.wsrp.producer.handlers.AbstractServiceHandler.service(AbstractServiceHandler.java:92)
       at com.bea.wsrp.producer.WsrpServer.processServiceRequest(WsrpServer.java:283)
       at com.bea.wsrp.producer.WsrpServer.service(WsrpServer.java:168)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:996)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
       at com.bea.wsrp.producer.adapter.pageflow.WsrpPageflowFilter.doFilter(WsrpPageflowFilter.java:73)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
       at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:351)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6458)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3661)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)</urn1:trace>
  </urn1:FaultDetail>
  </detail>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>

• EJB security supress in development and testing

  Hi,
  I'm not quite sure if its a right place for the post but it seems to me as a good one for a start. I think that my problem should be quite common and I'm really surprised that I can't find the answer :/, perhaps I search for a wrong thing, but let's get down to business :).
  I have JEE project which includes EJB module and enterprise client.
  EJB is secured, when I try to access its methods via the client I have to provide proper credentials and everything works perfetly well.
  However, during the developement cycle 2 issues may arise.
  1. It can be frustrating that each time I need to access (i.e every debug), secured method I have to provide user credentials.
  2. I don't know how programmaticaly provide credentials in order to make unit tests.
  So,
  is it possible to "supress security" during developement, so that no security checks are made ??
  Maybe there are different solutions ??
  Or my assumptions are wrong ??

  Thanks, the solution works :)
  If anyone has a same issue, I provide ejb-jar.xml.
  <?xml version="1.0" encoding="UTF-8"?>
  <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee"
  version = "3.0"
  xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
  <enterprise-beans>
  <session>
  <ejb-name>CartBean</ejb-name>
  <ejb-class>cart.secure.ejb.CartBean</ejb-class>
  </session>
  </enterprise-beans>
  <assembly-descriptor>
  <security-role>
  <role-name>kuku</role-name>
  </security-role>
  <method-permission>
  <unchecked></unchecked>
  <method>
  <ejb-name>CartBean</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  </assembly-descriptor>
  </ejb-jar>
  Only one thing, that bothers me remains, that is why I had to define the bean in the descriptor ??
  If I didn't put <enter ... than I go the following error:
  Deploying application in domain failed; Error loading deployment descriptors for module [cart-secure] -- Referencing error: This bundle has no bean of name [CartBean]

• Ejb security role & bea implementation

  A role has been defined in ejb-jar as following:
  <security-role>
  <description><![CDATA[Deployer User]]></description>
  <role-name>deployer</role-name>
  </security-role>
  <method-permission>
  <description><![CDATA[Deployer Method Permission]]></description>
  <role-name>deployer</role-name>
  <method>
  <description><![CDATA[All method for CCPStateBean]]></description>
  <ejb-name>CCPStateBean</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  If the principal is included in the weblogic-ejb-jar as below, and the jndi lookup
  includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>jzhu</principal-name>
  </security-role-assignment>
  The problem comes when the principal is not included as above weblogic-ejb-jar
  instead a role "deployer" is defined in WLS's, The user ("jzhu") is defined in
  the deployer group. And the deployer group belongs to deployer role. The defaultRoleMapper
  is enabled. In this scenario, the access failed due to insufficient permission.
  Can ejb-jar's role relates to WLS's role. Please advise. THX.
  -John

  Thanks for the information. It works. I wish bea monitor this newsgroup since this
  is not in their document. By the way, the following links clarifies the relationship
  between DD and admin console security configuration.
  http://edocs.bea.com/wls/docs70/security/cli_apps.html#1090734
  -John
  "Arjuna Chala" <[email protected]> wrote:
  I don't know about "defaultRoleMapper", but this works
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>deployer</principal-name>
  </security-role-assignment>
  where <role-name> maps to a ejb-jar role and <principal-name> maps to
  a
  weblogic group (in this case).
  "john" <[email protected]> wrote in message
  news:[email protected]..
  A role has been defined in ejb-jar as following:
  <security-role>
  <description><![CDATA[Deployer User]]></description>
  <role-name>deployer</role-name>
  </security-role>
  <method-permission>
  <description><![CDATA[Deployer Method Permission]]></description>
  <role-name>deployer</role-name>
  <method>
  <description><![CDATA[All method for CCPStateBean]]></description>
  <ejb-name>CCPStateBean</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  If the principal is included in the weblogic-ejb-jar as below, andthe
  jndi lookup
  includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>jzhu</principal-name>
  </security-role-assignment>
  The problem comes when the principal is not included as aboveweblogic-ejb-jar
  instead a role "deployer" is defined in WLS's, The user ("jzhu") isdefined in
  the deployer group. And the deployer group belongs to deployer role.The
  defaultRoleMapper
  is enabled. In this scenario, the access failed due to insufficientpermission.
  Can ejb-jar's role relates to WLS's role. Please advise. THX.
  -John

• EJB security question

  Hi all,
  I'm looking for a bit of advice. We have a J2EE application we have written, and are considering hosting such that we can give access to external clients. Our server hosts some EJBs and the GUI is a Web Start client. The user enters some data on the client and it is sent to the EJB server for processing - is there a security risk here ? Could the data potentially be intercepted or is the EJB communication secure ? if it is not secure, what is the suggested way of doing this - encrypting on the client and de-evcrypting on the server ?
  Many thanks for any advice.
  Alistair

  Well, I have not used EJB or J2EE yet, but I will guess that it is insecure. The usual solution to secure these comms is to use the TLS/SSL APIs in the JSSE. I'm not sure what is available to a J2EE application.

• EJB - EJB Security

  We are developing a three tier application, with a remote java client. The system
  is entity bean based, but all client access happens through a stateless session bean
  (Session Facade).
  The java client gets an initial context to the WLS (6.1 Sp2) server, specifying the
  username/password for authentication.
  Based on the user, we can restrict which roles (users) can run which methods of the
  stateless session EJB.
  What I want to know is this.. If the java remote client logs in as scott/tiger, calls
  a the session EJB (I assume as "scott/tiger"), if that session EJB calls an Entity
  EJB, which identity is the call to the entity bean made with?
  I'd like to clarify further by saying that the Session EJB will get an Initial Context
  prior to looking up the entity EJB by calling "new InitialContext()" (no arguments).
  Does the security id of the caller pass through ? Can I cache the InitialContext
  in the stateless session bean, or am I going to have to create it on every call (considering
  each call could come from a different user)?
  Thanks!

  Brian,
  the caller identity should always pass through to the entity beans. There was as
  'call as' feature in WLS 4.5.1, I think, but this was disabled in later versions,
  and returns (I think) in 7.
  Matt
  "Brian" <[email protected]> wrote:
  >
  We are developing a three tier application, with a remote java client.
  The system
  is entity bean based, but all client access happens through a stateless
  session bean
  (Session Facade).
  The java client gets an initial context to the WLS (6.1 Sp2) server, specifying
  the
  username/password for authentication.
  Based on the user, we can restrict which roles (users) can run which methods
  of the
  stateless session EJB.
  What I want to know is this.. If the java remote client logs in as scott/tiger,
  calls
  a the session EJB (I assume as "scott/tiger"), if that session EJB calls
  an Entity
  EJB, which identity is the call to the entity bean made with?
  I'd like to clarify further by saying that the Session EJB will get an Initial
  Context
  prior to looking up the entity EJB by calling "new InitialContext()" (no
  arguments).
  Does the security id of the caller pass through ? Can I cache the InitialContext
  in the stateless session bean, or am I going to have to create it on every
  call (considering
  each call could come from a different user)?
  Thanks!

• EJB-Security client identification

  I want to be able to distinguish between different clients possibly running with
  the same client user IDs. The distinction has to be on the server side e.g. based
  on the client's IP address.
  Is it possible to get the client's IP address on the server side? I don't want
  to use stateful session beans as this will simply create lots of instances without
  really using them that much.
  Thanks
  Chetan

  The IP address can be obtained from the HTTP headers. Check all the headers in the
  HTTPServletRequest using getHeaders() functions. One of them is the IP address
  Chetan Gadgil wrote:
  Don't want the hassle of managing too many user IDs.
  In addition to that though IP addresses can be spoofed and networks can be hacked
  into, this is not the problem we are trying to solve. The access has to be controlled
  at the user level, with multiple persons possibly sharing some of the user IDs.
  Even if we have only ONE user per login, we still want to identify the source
  IP for a request.
  Does anyone know HOW to do it?
  Thanks
  Chetan
  "Alf" <alf> wrote:
  Relying on the IP address is very unreliable and not very secure, either.
  Regarding the former:
  - different clients may come through the same proxy (thus from the same
  IP
  as far as the server is concerned)
  - the same client can come through different IPs even within the same
  session. This happens when they use a large ISP and the dynamic load
  balancing of the ISP routes the client through different proxies.
  Regarding the latter, in certain conditions IP addresses can be spoofed
  (and
  the subject is too big to discuss it here).
  The problem, however, is rather at the business level. To have different
  clients using the same userid but still required to be distinguished
  from one another should rather be resolved by assigning different usernames
  to those clients. This is what usernames are meant for . Groups can be
  used
  to assign permissions on a global basis, but if you need user-level
  granularity, then really have different usernames.
  hope this helps.
  "Chetan Gadgil" <[email protected]> wrote in message
  news:[email protected]...
  I want to be able to distinguish between different clients possiblyrunning with
  the same client user IDs. The distinction has to be on the server sidee.g. based
  on the client's IP address.
  Is it possible to get the client's IP address on the server side? Idon't
  want
  to use stateful session beans as this will simply create lots of instanceswithout
  really using them that much.
  Thanks
  Chetan

• 10.1.3. EJB security guide

  I want to use file based security provider and deploy also on embedded application server
  I found two guides
  download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/ejbsec.htm
  and a bit shorer
  download-east.oracle.com/docs/cd/B25221_04/web.1013/b14429/ejbsec.htm
  Which one should I read

  Thanks for the link. I was more interested in Adapter Installation guide for connecting peoplesoft. From the link you gave, I was able to locate that document.
  After installing 10.1.3 Adapters (only Desing time components), I am not able to start iaexplorer.exe. When I start that , nothing happens.
  Application Server: 10.1.3.0 (Oracle SOA Suite)
  Adapter Version: 10.1.3.0(Adapters for PeopleSoft, etc)
  Installation option during Adapter installation: Desing time components.
  Problem: IAExplorer doesnt start.
  I tried executing , "ae.bat" and this is what the error i get. Any pointers towards solution would be appreciated
  starting java
  ######### Error: Can not init logging ...
  Exception in thread "main" java.lang.NoSuchFieldError: WHITE
  at com.ibi.bse.gui.BseFlashScreen.initComponents2(BseFlashScreen.java:92
  at com.ibi.bse.gui.BseFlashScreen.<init>(BseFlashScreen.java:30)
  at com.ibi.bse.gui.BseFlashScreen.main(BseFlashScreen.java:158)
  Thanks

• UNABLE TO ACCESS SECURED EJB USING IIOP FROM JSP

  Following codes does not work with IIOP when called from jsp returns an
  com.sap.engine.services.iiop.CORBA.CORBAObject:com.sap.engine.services.iiop.server.portable.Delegate_1_1@8312b1 step2 RemoteException occurred in server thread; nested exception is: java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create(). at
  Following codes does not work with IIOP when called from a fat client returns an
  org.omg.CORBA.UNKNOWN:   vmcid: 0x0  minor code: 0 completed: Maybe
          at com.sun.corba.se.internal.core.UEInfoServiceContext.<init>(UEInfoServ
  iceContext.java:33)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
  orAccessorImpl.java:39)
          at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
  onstructorAccessorImpl.java:27)
          at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
          at com.sun.corba.se.internal.core.ServiceContextData.makeServiceContext(
  Properties p = new Properties();
  p.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.cosnaming.CNCtxFactory");
  p.put(Context.PROVIDER_URL, "iiop://hostname:50007");
  p.put(Context.SECURITY_PRINCIPAL, "User");
  p.put(Context.SECURITY_CREDENTIALS, "pass");
  I have add java option to add IIOP filer
  -Dorg.omg.PortableInterceptor.ORBInitializerClass.com.sap.engine.services.iiop.csiv2.interceptors.SecurityInitializer
  Solution Required: Could you please detail me what steps in need to perform in order for me to access secure ejb using iiop protocol.
  FYI -- How ever ejb security works with P4 protocol, If required i can send you the test case ear.
  Thanks
  Vijay
  Following are the server side logs
  java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create().
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:91)
       at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
       at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
       at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
       ... 20 more
  ; nested exception is:
       java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
       at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
       at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
       at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

  That's the code that you need to execute but you should
  probably encapsulate that code in Custom Action.
  Orion has a EJB Tag Library that is free to distribute that
  does all that stuff you just set some attributes.
  Go to their site and look at their Tag Libraries.
  Also look for other Tag Libraries Freely Available for EJB Access.