EJB security
Hello !
I read that controlled access to EJB methods can be achieved by mean of defining security roles (in the EJB deployment descriptors). I also read that each time an EJB method is called, the EJB client's Principal is forwarded to the EJB context. What I dont't know is how to establish a link between the client's principal and EBJ security roles ? I guess it should be possible. If not how should the method isCallerInRole work ? Can anyone help me ?
Pascal.
The primary concept for EJB security is that of "roles"
A user may be in one or more roles. It is only roles that have particular access rights, not users. So for instance, the "administrator" role might have certain access right, that the "client" roles might not. If a user is switched from being a "client" to an "administrator" (or is given both roles), that user will then have access to all the methods accessible to the "administrator" role.
Each method can be restricted based upon roles. The restrictions are listed in the <assembly-descriptor> tag. First of all, all roles must be listed. Then for each method, the access rights are listed by role. An example is shown below:
<assembly-descriptor>
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>client</role-name>
</security-role>
<method-permission>
<role-name>administrator</role-name>
<role-name>client</role-name>
<method>
<ejb-name>StockQuotes</ejb-name>
<method-name>buy</method-name>
</method>
<method>
<ejb-name>StockQuotes</ejb-name>
<method-name>getPrice</method-name>
</method>
</method-permission>
</assembly-descriptor>
Each method-permission tag may list one or more role names, followed by one or more methods that are accessible for that role. The "*" character may be used to specify method names (indicating all methods.) For multiple methods with the same name, the EJB specifications allow detailed parameter lists and interface type to identify methods uniquely, but this is outsie the scope of this tutorial -- check reference material if you need to do this.
The actual mapping from user names to security roles, and the specification of user names and passwords is application-server dependent.
Hope this helps
Similar Messages
-
Problem mapping LoginModule roles to ejb security roles
I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
LoginContext lc = new LoginContext("current-workspace-app", cbh);
lc.login();
I then perform a lookup on a bean using the same user:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
env.put("java.naming.security.principal",username);
env.put("java.naming.security.credentials",password);
env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
Context ic = new InitialContext(env);
final SessionEJBHome sessionEJBHome =
(SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
Finally, I create an instance of the bean and call a method of this bean.
SessionEJB sessionEJB;
sessionEJB = sessionEJBHome.create( );
sessionEJB.testMe( );
I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
"username is not allowed to call this EJB method"
When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
Thanks
PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
<role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
<security-role-map>
<role-name>test</role-name>
<server-role-name>myUMErole</server-role-name>
</security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question? -
Using the Audit Provider to log ejb security events
I would like use the audit provider to log security events for ejbs that use container managed security. Specifically I want to record the name of the ejb being accessed, the method the user is accessing, the time of the event and the user name of the user who is accessing the ejb.So far I have created an ejb that has method-permissions defined in the ejb-xml file. I have a number of users with different levels of permissions and the security is working.I have also installed the example Audit class that is shipped with weblogic.I am getting Audit indo in the log file, but I do not get any ejb info being logged.Is it possible to use the Audit provider that weblogic provides to audit ejb security events? Do I need to do something special to make this work?Please help, I can not find any documentation about what the audit provider logs.
Actually I never tried to login into the provider, but I understand you just need the keys.
Try this code, it works for me (some pieces are missing, but this is the core)
Provider provider=null;
provider=new SunPKCS11(providerFile); // providerFile is a String
Security.addProvider(provider);
KeyStore store=KeyStore.getInstance("PKCS11");
char[] pin=pinAsString.toCharArray();
store.load(null, pin);
PrivateKey key=(PrivateKey)store.getKey(alias, null);
Certificate[] chain=store.getCertificateChain(alias);
.....Using this approach I managed to read all the information from the provider (aliases, certificates, ...). I'm not sure that's what you needed, but I hope it helped. -
Wl5.1 ejb security checking is backwards
In 5.1 for ejb security checking you seem to check for users first,
then groups.
ie:
at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:1057)
at
weblogic.ejb.internal.SecurityRoleMapping.lookupPrincipal(SecurityRoleeMapping.java:236)
I dont have a code, but from the stack I can see you first calling
getUser, if its null, then calling getGroup.
I think in 4.51 you checked groups first (I dont have the stack since
its long gone, but I didnt have the sql im getting generated in 4.5.1).
Since most people map ejbs to groups (mapping directly to users is
inflexible), I think it would make sense from a performance perspective
to check groups first, then look for users.
Also, for compatibility sake, I would think such a change should be
noted in the release notes.
let me know if you agree, Ill open a case with support.
-JoelIn 5.1 for ejb security checking you seem to check for users first,
then groups.
ie:
at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:1057)
at
weblogic.ejb.internal.SecurityRoleMapping.lookupPrincipal(SecurityRoleeMapping.java:236)
I dont have a code, but from the stack I can see you first calling
getUser, if its null, then calling getGroup.
I think in 4.51 you checked groups first (I dont have the stack since
its long gone, but I didnt have the sql im getting generated in 4.5.1).
Since most people map ejbs to groups (mapping directly to users is
inflexible), I think it would make sense from a performance perspective
to check groups first, then look for users.
Also, for compatibility sake, I would think such a change should be
noted in the release notes.
let me know if you agree, Ill open a case with support.
-Joel -
Retrieve ejb security roles list
Hi,
in a EJB stateless session bean is it possible to retrieve, by EJB context, the list of configured roles related to the current user?
Thanks in advance.
bye
RobBased on the link given here is the xml. This XML already exists in the application and has such structure
<security-permission>
<security-role-map>
<role-name>developer</role-name>
<server-role-name>role1</server-role-name>
<server-role-name>role2</server-role-name>
<server-role-name>role3</server-role-name>
<server-role-name>role4</server-role-name>
<server-role-name>role5</server-role-name>
</security-role-map>
</security-permission>
My question is, which of the following annotation will work:
@RolesAllowed(value=)
or
@RolesAllowed(value=) //currently I am using this.
Edited by: Arpit Goyal on Feb 27, 2009 4:39 AM -
Hello,
I am using JDeveloper 3.2.2 to deploy EJBs to an 8.1.7 DB. Could someone point me in the direction of some documentation that would explain the concept of security roles and users for EJB methods? Do the users have to map to real users in the DB or how are they handled etc.
Thanks in advance,
- NikBased on the link given here is the xml. This XML already exists in the application and has such structure
<security-permission>
<security-role-map>
<role-name>developer</role-name>
<server-role-name>role1</server-role-name>
<server-role-name>role2</server-role-name>
<server-role-name>role3</server-role-name>
<server-role-name>role4</server-role-name>
<server-role-name>role5</server-role-name>
</security-role-map>
</security-permission>
My question is, which of the following annotation will work:
@RolesAllowed(value=)
or
@RolesAllowed(value=) //currently I am using this.
Edited by: Arpit Goyal on Feb 27, 2009 4:39 AM -
Greetings,
I have implemented a version of RDBMSRealm and it works
fairly well. Because we have reasonably complex rules for
creating users, authenticating them, etc. we choose to develop
a SessionBean that handles adding, changing, deleting users, etc.
Also, I have a method to log onto the realm that first goes through some complex rules, and finally if they pass, uses the
ServletAuthentication class to create context and authenticate
with the realm.
Trying to access the SessionBean is now throwing a security
exception indicating that there is no permission on the "logon"
method. But our EJB deployment descriptors don't specify any
permissions. At the point of calling "logon" we haven't been
authenticated to WebLogic.
1. Is this going to be a catch-22: we can't get authenticated because we can't use the method and we can't use
the method because we're not authenticated?
2. If that is the case the logon method needs to be moved
from the SessionBean to an ordinary class?
Many thanks,
Jeff.1)yes
2)yes
This is why you are advised not to use EJBs in custom realms - the catch 22
you spoke of (the RDBMSRealm uses a delegate pool rather than a connection
pool for similar reasons) - You can't set up the realm without the EJB, and
you can't access the EJB without being authorised, and you can't be
authorised because the realm hasn't been setb up yet
terry
Jeff Hamilton <[email protected]> wrote in message
news:3a1ecabe$[email protected]..
>
Greetings,
I have implemented a version of RDBMSRealm and it works
fairly well. Because we have reasonably complex rules for
creating users, authenticating them, etc. we choose to develop
a SessionBean that handles adding, changing, deleting users, etc.
Also, I have a method to log onto the realm that first goes through somecomplex rules, and finally if they pass, uses the
ServletAuthentication class to create context and authenticate
with the realm.
Trying to access the SessionBean is now throwing a security
exception indicating that there is no permission on the "logon"
method. But our EJB deployment descriptors don't specify any
permissions. At the point of calling "logon" we haven't been
authenticated to WebLogic.
1. Is this going to be a catch-22: we can't get authenticated becausewe can't use the method and we can't use
the method because we're not authenticated?
2. If that is the case the logon method needs to be moved
from the SessionBean to an ordinary class?
Many thanks,
Jeff. -
EJB Security Volation when access WSRP remote portlet
I have set up a portal server using Workshop 8.1.3 and made it a producer of an remote portlet. I turn off the registration by setting it in wsrp-producer-config (<registration required="false" secure="false"/>). I have tested this remote portlet by accessing it from another Weblogic portal site.
What I really want to do is to use this remote portlet on a MS sharepoint portal site (with WSRP Web Part Toolkit for sharepoint, http://www.gotdotnet.com/workspaces/workspace.aspx?id=2e3d8a57-ec9f-4d16-9a81-a395679d6392). I think I can successfully connected to the weblogic portal site, but I get a security volation error:
Error: [EJB:010160]Security Violation: User: '' has insufficient permission to access EJB: type=, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.
Can any one tell me what I need to do to pass this security volation??
Thank you very much.Thanks Subbu, this is what I am looking for, a way to get the requests and responses. I got the request/response from SOAP monitor. However I can't tell why it's not working (why the consumer doesn't have insufficient access). From the registration and service description, I can't tell anything wrong as they don't require any addition information for the consumer. I'll paste all the SOAP message between my consumer/producer and please let me know if you notice anything wrong. The SOAP messages are in order. Thanks so much for your help.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<register xmlns="urn:oasis:names:tc:wsrp:v1:types">
<consumerName>wsrpConsumer</consumerName>
<consumerAgent>wsrpConsumer.1.1</consumerAgent>
<methodGetSupported>false</methodGetSupported>
</register>
</soap:Body>
</soap:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<urn:registerResponse xmlns:urn="urn:oasis:names:tc:wsrp:v1:types">
<urn:registrationHandle>28011</urn:registrationHandle>
</urn:registerResponse>
</soapenv:Body>
</soapenv:Envelope>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getServiceDescription xmlns="urn:oasis:names:tc:wsrp:v1:types">
<registrationContext>
<registrationHandle>28011</registrationHandle>
</registrationContext>
</getServiceDescription>
</soap:Body>
</soap:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<urn:getServiceDescriptionResponse xmlns:urn="urn:oasis:names:tc:wsrp:v1:types"> <urn:requiresRegistration>true</urn:requiresRegistration>
<urn:offeredPortlets> <urn:portletHandle>portlet_1</urn:portletHandle>
<urn:markupTypes>
<urn:mimeType>text/html</urn:mimeType>
<urn:modes>wsrp:view</urn:modes>
<urn:windowStates>wsrp:normal</urn:windowStates>
<urn:locales>en</urn:locales>
<urn:locales>en-US</urn:locales>
</urn:markupTypes>
<urn:groupID>WSRPDemo</urn:groupID>
<urn:description xml:lang="en-US">
<urn:value/>
</urn:description>
<urn:shortTitle xml:lang="en-US">
<urn:value>pageFlowPortlet</urn:value>
</urn:shortTitle>
<urn:title xml:lang="en-US">
<urn:value>pageFlowPortlet</urn:value>
</urn:title>
<urn:displayName xml:lang="en-US">
<urn:value>pageFlowPortlet</urn:value>
</urn:displayName>
<urn:usesMethodGet>true</urn:usesMethodGet>
<urn:templatesStoredInSession>true</urn:templatesStoredInSession> <urn:doesUrlTemplateProcessing>true</urn:doesUrlTemplateProcessing>
</urn:offeredPortlets> <urn:requiresInitCookie>perGroup</urn:requiresInitCookie>
<urn:registrationPropertyDescription/>
<urn:locales>en</urn:locales>
<urn:locales>en-US</urn:locales>
</urn:getServiceDescriptionResponse>
</soapenv:Body>
</soapenv:Envelope>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<clonePortlet xmlns="urn:oasis:names:tc:wsrp:v1:types">
<registrationContext>
<registrationHandle>28011</registrationHandle>
</registrationContext>
<portletContext>
<portletHandle>portlet_1</portletHandle>
</portletContext>
<userContext>
<userContextKey>wsrpConsumer</userContextKey>
</userContext>
</clonePortlet>
</soap:Body>
</soap:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault xmlns:urn="urn:oasis:names:tc:wsrp:v1:types">
<faultcode>urn:OperationFailed</faultcode>
<faultstring>[EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.</faultstring>
<detail>
<urn:OperationFailed/>
<urn1:FaultDetail xmlns:urn1="urn:bea:wsrp:wlp:v1:types">
<urn1:created>2004-09-27T11:37:09.648-04:00</urn1:created>
<urn1:trace>com.bea.wsrp.faults.OperationFailedException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=Demo, module=netuix.jar, ejb=PortalCustomizationManager, method=createSuccessor, methodInterface=Remote, signature={com.bea.netuix.application.manager.CustomizationContext,com.bea.netuix.application.identifier.DesktopDefinitionId,com.bea.netuix.application.identifier.PortletInstanceId}.
at com.bea.wsrp.producer.adapter.customization.PortalCustomizationServiceAdapter.clonePortlet(PortalCustomizationServiceAdapter.java:264)
at com.bea.wsrp.producer.handlers.management.PortletManagementServiceHandler.doClonePortlet(PortletManagementServiceHandler.java:247)
at com.bea.wsrp.producer.handlers.management.PortletManagementServiceHandler.doService(PortletManagementServiceHandler.java:152)
at com.bea.wsrp.producer.handlers.AbstractServiceHandler.service(AbstractServiceHandler.java:92)
at com.bea.wsrp.producer.WsrpServer.processServiceRequest(WsrpServer.java:283)
at com.bea.wsrp.producer.WsrpServer.service(WsrpServer.java:168)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:996)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
at com.bea.wsrp.producer.adapter.pageflow.WsrpPageflowFilter.doFilter(WsrpPageflowFilter.java:73)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:351)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6458)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3661)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)</urn1:trace>
</urn1:FaultDetail>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope> -
EJB security supress in development and testing
Hi,
I'm not quite sure if its a right place for the post but it seems to me as a good one for a start. I think that my problem should be quite common and I'm really surprised that I can't find the answer :/, perhaps I search for a wrong thing, but let's get down to business :).
I have JEE project which includes EJB module and enterprise client.
EJB is secured, when I try to access its methods via the client I have to provide proper credentials and everything works perfetly well.
However, during the developement cycle 2 issues may arise.
1. It can be frustrating that each time I need to access (i.e every debug), secured method I have to provide user credentials.
2. I don't know how programmaticaly provide credentials in order to make unit tests.
So,
is it possible to "supress security" during developement, so that no security checks are made ??
Maybe there are different solutions ??
Or my assumptions are wrong ??Thanks, the solution works :)
If anyone has a same issue, I provide ejb-jar.xml.
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee"
version = "3.0"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
<enterprise-beans>
<session>
<ejb-name>CartBean</ejb-name>
<ejb-class>cart.secure.ejb.CartBean</ejb-class>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>kuku</role-name>
</security-role>
<method-permission>
<unchecked></unchecked>
<method>
<ejb-name>CartBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
</ejb-jar>
Only one thing, that bothers me remains, that is why I had to define the bean in the descriptor ??
If I didn't put <enter ... than I go the following error:
Deploying application in domain failed; Error loading deployment descriptors for module [cart-secure] -- Referencing error: This bundle has no bean of name [CartBean] -
Ejb security role & bea implementation
A role has been defined in ejb-jar as following:
<security-role>
<description><![CDATA[Deployer User]]></description>
<role-name>deployer</role-name>
</security-role>
<method-permission>
<description><![CDATA[Deployer Method Permission]]></description>
<role-name>deployer</role-name>
<method>
<description><![CDATA[All method for CCPStateBean]]></description>
<ejb-name>CCPStateBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
If the principal is included in the weblogic-ejb-jar as below, and the jndi lookup
includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>jzhu</principal-name>
</security-role-assignment>
The problem comes when the principal is not included as above weblogic-ejb-jar
instead a role "deployer" is defined in WLS's, The user ("jzhu") is defined in
the deployer group. And the deployer group belongs to deployer role. The defaultRoleMapper
is enabled. In this scenario, the access failed due to insufficient permission.
Can ejb-jar's role relates to WLS's role. Please advise. THX.
-JohnThanks for the information. It works. I wish bea monitor this newsgroup since this
is not in their document. By the way, the following links clarifies the relationship
between DD and admin console security configuration.
http://edocs.bea.com/wls/docs70/security/cli_apps.html#1090734
-John
"Arjuna Chala" <[email protected]> wrote:
I don't know about "defaultRoleMapper", but this works
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>deployer</principal-name>
</security-role-assignment>
where <role-name> maps to a ejb-jar role and <principal-name> maps to
a
weblogic group (in this case).
"john" <[email protected]> wrote in message
news:[email protected]..
A role has been defined in ejb-jar as following:
<security-role>
<description><![CDATA[Deployer User]]></description>
<role-name>deployer</role-name>
</security-role>
<method-permission>
<description><![CDATA[Deployer Method Permission]]></description>
<role-name>deployer</role-name>
<method>
<description><![CDATA[All method for CCPStateBean]]></description>
<ejb-name>CCPStateBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
If the principal is included in the weblogic-ejb-jar as below, andthe
jndi lookup
includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>jzhu</principal-name>
</security-role-assignment>
The problem comes when the principal is not included as aboveweblogic-ejb-jar
instead a role "deployer" is defined in WLS's, The user ("jzhu") isdefined in
the deployer group. And the deployer group belongs to deployer role.The
defaultRoleMapper
is enabled. In this scenario, the access failed due to insufficientpermission.
Can ejb-jar's role relates to WLS's role. Please advise. THX.
-John -
Hi all,
I'm looking for a bit of advice. We have a J2EE application we have written, and are considering hosting such that we can give access to external clients. Our server hosts some EJBs and the GUI is a Web Start client. The user enters some data on the client and it is sent to the EJB server for processing - is there a security risk here ? Could the data potentially be intercepted or is the EJB communication secure ? if it is not secure, what is the suggested way of doing this - encrypting on the client and de-evcrypting on the server ?
Many thanks for any advice.
AlistairWell, I have not used EJB or J2EE yet, but I will guess that it is insecure. The usual solution to secure these comms is to use the TLS/SSL APIs in the JSSE. I'm not sure what is available to a J2EE application.
-
We are developing a three tier application, with a remote java client. The system
is entity bean based, but all client access happens through a stateless session bean
(Session Facade).
The java client gets an initial context to the WLS (6.1 Sp2) server, specifying the
username/password for authentication.
Based on the user, we can restrict which roles (users) can run which methods of the
stateless session EJB.
What I want to know is this.. If the java remote client logs in as scott/tiger, calls
a the session EJB (I assume as "scott/tiger"), if that session EJB calls an Entity
EJB, which identity is the call to the entity bean made with?
I'd like to clarify further by saying that the Session EJB will get an Initial Context
prior to looking up the entity EJB by calling "new InitialContext()" (no arguments).
Does the security id of the caller pass through ? Can I cache the InitialContext
in the stateless session bean, or am I going to have to create it on every call (considering
each call could come from a different user)?
Thanks!Brian,
the caller identity should always pass through to the entity beans. There was as
'call as' feature in WLS 4.5.1, I think, but this was disabled in later versions,
and returns (I think) in 7.
Matt
"Brian" <[email protected]> wrote:
>
We are developing a three tier application, with a remote java client.
The system
is entity bean based, but all client access happens through a stateless
session bean
(Session Facade).
The java client gets an initial context to the WLS (6.1 Sp2) server, specifying
the
username/password for authentication.
Based on the user, we can restrict which roles (users) can run which methods
of the
stateless session EJB.
What I want to know is this.. If the java remote client logs in as scott/tiger,
calls
a the session EJB (I assume as "scott/tiger"), if that session EJB calls
an Entity
EJB, which identity is the call to the entity bean made with?
I'd like to clarify further by saying that the Session EJB will get an Initial
Context
prior to looking up the entity EJB by calling "new InitialContext()" (no
arguments).
Does the security id of the caller pass through ? Can I cache the InitialContext
in the stateless session bean, or am I going to have to create it on every
call (considering
each call could come from a different user)?
Thanks! -
EJB-Security client identification
I want to be able to distinguish between different clients possibly running with
the same client user IDs. The distinction has to be on the server side e.g. based
on the client's IP address.
Is it possible to get the client's IP address on the server side? I don't want
to use stateful session beans as this will simply create lots of instances without
really using them that much.
Thanks
ChetanThe IP address can be obtained from the HTTP headers. Check all the headers in the
HTTPServletRequest using getHeaders() functions. One of them is the IP address
Chetan Gadgil wrote:
Don't want the hassle of managing too many user IDs.
In addition to that though IP addresses can be spoofed and networks can be hacked
into, this is not the problem we are trying to solve. The access has to be controlled
at the user level, with multiple persons possibly sharing some of the user IDs.
Even if we have only ONE user per login, we still want to identify the source
IP for a request.
Does anyone know HOW to do it?
Thanks
Chetan
"Alf" <alf> wrote:
Relying on the IP address is very unreliable and not very secure, either.
Regarding the former:
- different clients may come through the same proxy (thus from the same
IP
as far as the server is concerned)
- the same client can come through different IPs even within the same
session. This happens when they use a large ISP and the dynamic load
balancing of the ISP routes the client through different proxies.
Regarding the latter, in certain conditions IP addresses can be spoofed
(and
the subject is too big to discuss it here).
The problem, however, is rather at the business level. To have different
clients using the same userid but still required to be distinguished
from one another should rather be resolved by assigning different usernames
to those clients. This is what usernames are meant for . Groups can be
used
to assign permissions on a global basis, but if you need user-level
granularity, then really have different usernames.
hope this helps.
"Chetan Gadgil" <[email protected]> wrote in message
news:[email protected]...
I want to be able to distinguish between different clients possiblyrunning with
the same client user IDs. The distinction has to be on the server sidee.g. based
on the client's IP address.
Is it possible to get the client's IP address on the server side? Idon't
want
to use stateful session beans as this will simply create lots of instanceswithout
really using them that much.
Thanks
Chetan -
10.1.3. EJB security guide
I want to use file based security provider and deploy also on embedded application server
I found two guides
download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/ejbsec.htm
and a bit shorer
download-east.oracle.com/docs/cd/B25221_04/web.1013/b14429/ejbsec.htm
Which one should I readThanks for the link. I was more interested in Adapter Installation guide for connecting peoplesoft. From the link you gave, I was able to locate that document.
After installing 10.1.3 Adapters (only Desing time components), I am not able to start iaexplorer.exe. When I start that , nothing happens.
Application Server: 10.1.3.0 (Oracle SOA Suite)
Adapter Version: 10.1.3.0(Adapters for PeopleSoft, etc)
Installation option during Adapter installation: Desing time components.
Problem: IAExplorer doesnt start.
I tried executing , "ae.bat" and this is what the error i get. Any pointers towards solution would be appreciated
starting java
######### Error: Can not init logging ...
Exception in thread "main" java.lang.NoSuchFieldError: WHITE
at com.ibi.bse.gui.BseFlashScreen.initComponents2(BseFlashScreen.java:92
at com.ibi.bse.gui.BseFlashScreen.<init>(BseFlashScreen.java:30)
at com.ibi.bse.gui.BseFlashScreen.main(BseFlashScreen.java:158)
Thanks -
UNABLE TO ACCESS SECURED EJB USING IIOP FROM JSP
Following codes does not work with IIOP when called from jsp returns an
com.sap.engine.services.iiop.CORBA.CORBAObject:com.sap.engine.services.iiop.server.portable.Delegate_1_1@8312b1 step2 RemoteException occurred in server thread; nested exception is: java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create(). at
Following codes does not work with IIOP when called from a fat client returns an
org.omg.CORBA.UNKNOWN: vmcid: 0x0 minor code: 0 completed: Maybe
at com.sun.corba.se.internal.core.UEInfoServiceContext.<init>(UEInfoServ
iceContext.java:33)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
orAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
onstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at com.sun.corba.se.internal.core.ServiceContextData.makeServiceContext(
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.cosnaming.CNCtxFactory");
p.put(Context.PROVIDER_URL, "iiop://hostname:50007");
p.put(Context.SECURITY_PRINCIPAL, "User");
p.put(Context.SECURITY_CREDENTIALS, "pass");
I have add java option to add IIOP filer
-Dorg.omg.PortableInterceptor.ORBInitializerClass.com.sap.engine.services.iiop.csiv2.interceptors.SecurityInitializer
Solution Required: Could you please detail me what steps in need to perform in order for me to access secure ejb using iiop protocol.
FYI -- How ever ejb security works with P4 protocol, If required i can send you the test case ear.
Thanks
Vijay
Following are the server side logs
java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create().
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:91)
at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
... 20 more
; nested exception is:
java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)That's the code that you need to execute but you should
probably encapsulate that code in Custom Action.
Orion has a EJB Tag Library that is free to distribute that
does all that stuff you just set some attributes.
Go to their site and look at their Tag Libraries.
Also look for other Tag Libraries Freely Available for EJB Access.
Maybe you are looking for
-
How do I sync my ipod to a new computer?
My HP died and there was no saving anything off of the hard drive. How do I sync my ipod Nano to my iTunes on the new computer without losing everything but what I have bought directly through iTunes?
-
Lenovo t530 charger broken please help me
Ok so I'm currently studying abroad and the other day the power cord ripped by the plug and now the wires are exposed. Wrapping it in electrical tape did nothing and now I'm stuck here without a computer to do work on as every time I plug it into an
-
Compilation problem (cannot resolve symbol)
I have searched the Forums for "cannot resolve symbol" and as usual, many posts with no answers or just advise that noone ever comes back to say works. I am trying to compile this code: import java.io.*; import java.util.*; import javax.servlet.*; im
-
Error 'Balance in transaction currency' in VF02
Hello Experts, I am getting an error message 'Balance in transaction currency' in VF02 while releasing to accounting. Can anyone tell me the reason and suggest the solution for this issue? Thanks and Regards Krunal Raichura
-
Hi, i have already created many heterogeneous dblinks from oracle 32bit to other 32bit DB, and in analogous way from oracle 64bit to other 64bit Db without any problem. Now, I'm going crazy because i'm on oracle 11.1.0.6.0 - 64bit on windows 2003 ser