Security credentials in J2EE

I am currently working on a project using jsp (apche struts) and EJB's implemented on Websphere v4.0. What we want to do is authenticate a user against our back end databases and then depending on the result restrict access to the other EJB's in our system. What we don't want to do is use form based authentication with user/password as we require several pieces of info from the customer to authenticate them.
What we have done so far is:
define roles and mapped these to EJB's. For simplicity all ejb's are mapped to one role but the log on ejb is mapped to a different role.
These roles are then mapped to users at deploy time. This should mean that all users can call the logon ejb but only authenticated users can call the others.
The problem is that I cannot invoke the restricted EJB's. All users can invoke the logon EJB as expected but when invoking the restricted EJB's I get an exception saying that "Authorization failed for /UNAUTHENTICATED ". This is even though I am passing the credentials and principle in as properties to the constructor of InitialContext e.g.
props.put(Context.SECURITY_PRINCIPLE,"user1");
props.put(Context.SECURITY_CREDENTIALS,"userpassword");
InitialContext myCtx = new InitialContext(props);
I have also tried to authenticate using the ServerSideAuthenticator class which ships with websphere. I can authenticate as user1 in an EJB and call another EJB and the credentials are propgated in the call as I would expect however if I use the serverside authenticator in the webtier in the action servlet and then invoke an EJB the credentials are not propogated and I get the same error.
Does anyone have any ideas on how to do this ? Ideally we would like to be as J2EE as possible but are not sure if this can be done with our app server. If this is not possible does anyone know how to do it in a websphere kind of way !!!

I'm getting the same problem..did u find a solution for this?

Similar Messages

Setting security credentials dynamically in Oracle BPEL

Hi,
I am tring to pass security credentials dynamically to partner link in oracle BEPL using following code(.bpel). But when i try to complie i am getting below error
Error:
[Error ORABPEL-10902]: compilation failed
[Description]: in "bpel.xml", XML parsing failed because "undefined part element.
In WSDL at "file:/D:/BEPL/OWSM/CustomHeader/bpel/CustomHeader.wsdl", message part element "{http://xmlns.oracle.com/CustomHeader}CustomHeaderProcessResponse" is not defined in any of the schemas.
Please make sure the spelling of the element QName is correct and the WSDL import is complete.
[Potential fix]: n/a.
please help me to sort out above problem. I want to pass the credentials dynamically to partner link in oracle BEPL is it the raight way to do. Kndly respond if any other way.
<?xml version = "1.0" encoding = "UTF-8" ?>

<process name="BPELSycProcess"
targetNamespace="http://xmlns.oracle.com/BPELSycProcess"
xmlns="http://schemas.xmlsoap.org/ws/2003/03/business-process/"
xmlns:xp20="http://www.oracle.com/XSL/Transform/java/oracle.tip.pc.services.functions.Xpath20"
xmlns:bpws="http://schemas.xmlsoap.org/ws/2003/03/business-process/"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns1="http://datespackage/"
xmlns:ldap="http://schemas.oracle.com/xpath/extension/ldap"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:client="http://xmlns.oracle.com/BPELSycProcess"
xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
xmlns:ora="http://schemas.oracle.com/xpath/extension"
xmlns:orcl="http://www.oracle.com/XSL/Transform/java/oracle.tip.pc.services.functions.ExtFunc">

<partnerLinks>

<partnerLink name="client" partnerLinkType="client:BPELSycProcess"
myRole="BPELSycProcessProvider"/>
<partnerLink myRole="GetDatesWS_Role" name="GetDatesWS"
partnerRole="GetDatesWS_Role"
partnerLinkType="ns1:GetDatesWS_PL"/>
</partnerLinks>

<variables>

<variable name="inputVariable"
messageType="client:BPELSycProcessRequestMessage"/>

<variable name="outputVariable"
messageType="client:BPELSycProcessResponseMessage"/>
<variable name="Invoke_GetDate_getDate_InputVariable"
messageType="ns1:GetDatesWS_getDate"/>
<variable name="Invoke_GetDate_getDate_OutputVariable"
messageType="ns1:GetDatesWS_getDateResponse"/>
<variable name="wscheaders" element="ns4:Security"/>
</variables>

<sequence name="main">

<receive name="receiveInput" partnerLink="client"
portType="client:BPELSycProcess" operation="process"
variable="inputVariable" createInstance="yes"/>

<assign name="Assign_1">
<copy>
<from>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>siva </wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">kris</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</from>
<to variable="wscheaders"/>
</copy>
</assign>
<assign name="Assign_Before">
<copy>
<from expression="'Before Service Invoke'"/>
<to variable="inputVariable" part="payload"
query="/client:BPELSycProcessProcessRequest/client:input"/>
</copy>
</assign>
<invoke name="Invoke_GetDate" partnerLink="GetDatesWS"
portType="ns1:GetDatesWS" operation="getDate"
inputVariable="Invoke_GetDate_getDate_InputVariable"
outputVariable="Invoke_GetDate_getDate_OutputVariable"
bpelx:inputHeaderVariable="wscheaders"/>
<assign name="Assign_After">
<copy>
<from expression="'After Service Invoke'"/>
<to variable="inputVariable" part="payload"
query="/client:BPELSycProcessProcessRequest/client:input"/>
</copy>
</assign>
<reply name="replyOutput" partnerLink="client"
portType="client:BPELSycProcess" operation="process"
variable="outputVariable"/>
</sequence>
</process>
Thanks & Regards,
Siva

There are so many limitations on what can and cannot be done in Apps related forms so you should ask this question in the relevant Apps forum: OA Framework (I would think)

Connecting to LDAP wtth current security credentials

Hey All
I want to connect to LDAP SERVER(Active Directory in my case)
without specified security credentials in my code.
I want Ldap to use security credentials of my user.
Thanks
Ishay

Had you bothered to look a little further down the first page of the forum, you would have found the answer to your question.
http://forum.java.sun.com/thread.jspa?threadID=732433&tstart=0

Security problem with j2ee 5.0 environement

Hi dear all,,
I am currently trying to run an application, which was running on j2se successfully after changing the java security files in jdk security folder.
But now i have moved to j2ee environement and trying to run the same code but it is giving me following exceptions.
Exception in thread "main" java.lang.VerifyError: class edu.emory.mathcs.backport.java.util.concurrent.helpers.AbstractOwnableQueuedSynchronizer overrides final method setExclusiveOwnerThread.(Ljava/lang/Thread;)V
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at edu.emory.mathcs.backport.java.util.concurrent.LinkedBlockingQueue.<init>(LinkedBlockingQueue.java:87)
at edu.emory.mathcs.backport.java.util.concurrent.LinkedBlockingQueue.<init>(LinkedBlockingQueue.java:169)
at com.torunski.crawler.MultiThreadedCrawler.<init>(MultiThreadedCrawler.java:67)
at mywebtracker.web_tracker.Tracker.startTracking(Tracker.java:84)
at mywebtracker.web_tracker.TrackerController.main(TrackerController.java:37)
Java Result: 1
I have tried to change the policy files in the {java_home}./jre/lib/security but it does not work.
can any one tell me, how to changes security settings in j2ee environment. i am using netbeans 5.5 with SDK 5, JDK 6 and sun application server 9.0
i would be grateful
zaman

http://publib.boulder.ibm.com/infocenter/wasinfo/topic/com.ibm.wasee.doc/info/ee/ae/tdat_migdaapp.html
The answer will be to make your JSP a JSP 1.2 JSP. (Basically the servlet 2.3 spec). Please refer to the link above for a step by step procedure to accomplish it.
Vijay

LocalHome caching in ServiceLocator - security credentials lost at runtime

I got a nasty exception when trying to use cached localhomes, which had been looked up after constructing an InitialContext with Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS:
javax.ejb.AccessLocalException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: ...
I finally had to disable localhome caching in my ServiceLocator, if security credentials were needed.
AppServer: WebLogic Server 8.1 SP3

I have the very same error using Weblogic Server 8.1 SP4. For now, caching in the ServiceLocator had to be removed. Debugging the server-code showed that the beans setContext-method is not called before entering the method requested by the client. The call fails when the first bean executes a remote-call to a second bean.

How to add security credentials to SOAP header for EBS Web Service call..

All,
I am trying to invoke a webservice that I successfully exposed as a WSDL Web Service using EBS Integrated SOA Gateway. I am using OBIEE 11g Action Framework which uses WebLogic.
Here are the steps I completed:
- I exposed a WSDL web service in EBS R12 via Integrated SOA Gateway
- I granted the access to this service in EBS R12 to user SYSADMIN
- I used OBIEE 11g to make a Action to call the Web service (using Action Framework) by searching for the WSDL
- When I try to execute the action: I get the error:
Action could not be invoked.
ServiceExecutionFailure :
Error invoking web service HR_PHONE_API_Service at endpoint http://ip-10-87-33-3.ec2.internal:8000/webservices/SOAProvider/plsql/hr_phone_api/ Missing <wsse:Security> in SOAP Header
PROBLEM: I am unsure how to add the credentials for SYSADMIN user and password to add the SOAP username/pwd to the outgoing call. Anyone on this forum know how to set up the SOAP to call with the correct credentials? I have been looking at the documentation but it is not clearly explained.

Dear Heiko,
did you solve this problem?
We are facing the same problem. Every parameter that requries "cmd" does not work. I guess we don´t use this paramter the right way.
Best, Chris

How to forward security credentials from one web service to another

Here is what I am trying to do... I have a standalone client that invokes a message-level secured web service (WEBSERVICE A) on a Weblogic 9.1 server (SERVER A) with a username and a password, and this web service (WEBSERVICE A) uses the same username and password from the client, and invokes another message-level secured web service (WEBSERVICE B) deployed on a different WebLogic 9.1 server (SERVER B).
Does WebLogic 9.X automatically asserts the same client credentials when the WEBSERVICE A invokes WEBSERVICE B on a different server? If it doesn't, what is the best way to do that? Thanks.

You can save the site (spweb) as a template, and then use the template to create a new site in another web application.
When you save the site, it's saved to the solutions gallery. You can download the saved site from the solutions gallery, and then use it to create the new site collection.
If the site is a publishing site, you'll need to de-activate the publishing features first.
You can save the site as a template via the sites settings page, or via SharePoint designer.
Have a look here: http://office.microsoft.com/en-us/sharepoint-designer-help/save-a-sharepoint-site-as-a-template-HA101782501.aspx
Regards, Matthew
MCPD | MCITP
My Blog
View
Matthew Yarlett's profile
See my webpart on the TechNet Gallery that allows administrative users to upload, crop and format user profile photos. Check it out here:
Upload and Crop User Profile Photos

Get or set security credentials for XML web service client authentication

Dear,
I wrote a custom asp.net web service that acts as a wrapper for the taxonomyclientservice.asmx in sharepoint 2010.
ON my local machine, the following code works:
using (Taxonomy.Taxonomywebservice TaxonomyClient = new COSMOS_Taxonomy.Taxonomywebservice())
TaxonomyClient.Credentials = new NetworkCredential("username", "pass", "domain");
TaxonomyClient.PreAuthenticate = true;
etc..
The authentication works when i provide the user credentials.
the problem is when i deploy the webservice to my production env. I dont know the owner of the metadata term store and its out of the question to get the username and password.
when i try to run this code on my local machine:
TaxonomyClient.Credentials = System.Net.CredentialCache.DefaultCredentials;
i get this error:
System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at COSMOS_TermSet.COSMOS_Taxonomy.Taxonomywebservice.GetTermSets(String sharedServiceIds, String termSetIds, Int32 lcid, String clientTimeStamps, String clientVersions, String& serverTermSetTimeStampXml)
at COSMOS_TermSet.CustomWebService.GetCountryTermSet()
How can i fix this.
Many thanks in advance

Hi Roni,
Based on your description, the error occurred when using the DefaultCredential in the code.
I recommend to check if the “<identity impersonate="true"></identity>” is included in web.config file.
If not, add it to web.config file to see if the issue still occurs.
Best regards.
Thanks
Victoria Xia
TechNet Community Support

What is the difference between ADF Security Auth and J2EE Container Auth

Hello:
is there a simple doc that explains the difference between the two. Is it something to do with setup?

Re: Security, Thanks Frank, a question on your example

ALSB passing NTLM security credentials to end point URL in business service

Hi,
We are using AXIS API to pass NTLM authentication details to SharePoint Web Service by setting the user name and password details as below.
call.setUsername
call.setPassword
This is working fine when we invoke the MOSS search WSDL directly. However, when we introduce ALSB in between and create proxy and business service, the user name and password set using call.setUsername and call.setPassword are not passed correctly and we are getting the below error.
BEA-380000: Unauthorized
Could any one help how this can be resolved?
Thanks
Sampath

RK,
Use the *$inbound/ctx:transport/ctx:request/http:query-string* element to get all the arguments in the URL.
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/httppollertransport/transports.html#wp1083292.
After that You can have conditional routing to Route it specific BS either Fiction BS or WarBased BS or you can try using Routing Table.
For doing that do i need to maintain any schema for Business Service?No , I think if you just need to route the request to JMS BS coming from Other Application,
But if You want to validate the request which you would be sending to BS then use schema to validate your incoming request.
Regards,
Abhinav

Authorization check for caller assignment to J2EE security role

Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
#1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
#1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
Any idea about it?
Thanks friends

Hi Holger,
Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
sap.com/SAP-JEECOR 7.00 SP13 (1000.7.00.13.0.20070907082334) 20071028144036
sap.com/SAP-JEE 7.00 SP13 (1000.7.00.13.2.20071026143730) 20071203150628
Will inform some people internally to patch to atleast 3 to check if it still occures.
Anyway, Thanks again..
Benjamin Houttuin

Error :Authorization check for caller assignment to J2EE security role whil

Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.

Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh

NWDS Webdynpro deploy: Cannot login to the SAP J2EE Engine using ......

Friends,
I am getting the following error while deploying a web dynpro application through NWDS.
Aborted: development component 'WebDynpro_ErrorBehavior'/'local'/'LOKAL'/'0.2007.05.29.17.02.04'/'1':Cannot login to the SAP J2EE Engine using user and password as provided in the Filesystem Secure Store. Enter valid login information in the Filesystem Secure Store using the SAP J2EE Engine Config Tool. For more information, see SAP note 701654.com.sap.sdm.serverext.servertype.inqmy.extern.DeployManagerAuthExceptionWrapper: Wrong security credentials detected while trying to obtain connection to the J2EE Engine. (message ID: com.sap.sdm.serverext.servertype.inqmy.extern.EngineApplOnlineDeployerImpl.checkLoginCredentials.DMAUTHEXC)
I get this error after I supply the SDM password which NWDS asks before deploying.
Can someone guide?
[email protected]
Thanks

In the additonal error log it says-
Unable to compare host[px1db] and host[x900704] Throwable: java.net.UnknownHostException Throwable message: x900704: x900704
where px1db is my portal server and x900704 is my localmachine name.
I dont know why it says so ...In NWDS i have configured only px1db.
any thoughts.
Vinay

Problem with deployment [credentials error] in Web Dynpro

Hi all,
Suddenly I was not able to deploy anymore.
I am using SAP NetWeaver Developer Studio, Version: 7.0.11, Build id: 200702010238.
For deployment I log with user SDM and some password. The Visual Admin wanted to change the Administrator's password and since then I am not able to deploy my project in Web Dynpro.
I am a little confused actually how changing Administrator's password and not changing SDM's password would lead to such an issue.
I will highly appreciate if somebody could give me a clue about a solution!
Error details -
Dec 11, 2007 1:28:58 PM /userOut/deploy (com.sap.ide.eclipse.sdm.threading.DeployThreadManager) [Thread[Deploy Thread,5,main]] ERROR:
[001]Deployment aborted
Settings
SDM host : sofD60161589A
SDM port : 53018
URL to deploy : file:/D:/temp/temp51933ToolAddProject.ear
Result
=> deployment aborted : file:/D:/temp/temp51933ToolAddProject.ear
Aborted: development component 'ToolAddProject'/'local'/'LOKAL'/'0.2007.12.11.13.28.41'/'0':
Cannot login to the SAP J2EE Engine using user and password as provided in the Filesystem Secure Store. Enter valid login information in the Filesystem Secure Store using the SAP J2EE Engine Config Tool. For more information, see SAP note 701654.
com.sap.sdm.serverext.servertype.inqmy.extern.DeployManagerAuthExceptionWrapper: Wrong security credentials detected while trying to obtain connection to the J2EE Engine.
(message ID: com.sap.sdm.serverext.servertype.inqmy.extern.EngineApplOnlineDeployerImpl.checkLoginCredentials.DMAUTHEXC)
Deployment exception : The deployment of at least one item aborted
P.S. Please don't reply me with "search the forum..." and don't redirect me to some links. I did it already and it doesn't help. So, please if somebody knows the solution and wants to help - just to do it.
Best regards,
Ogniana

Hi Ognyana,
Do the following Steps,
Use the Config Tool to change the entry in secure storage as follows:
1. Start the Config Tool.
(Execute <SAPj2eeEngine_install_dir> \configtool\configtool.bat.)
2. Select the secure store node.
The configuration for the secure storage in the file system appears.
3. Select the admin/password/<SID> entry.
4. Enter the administrator user's new password in the "Value" field and choose "Add".
5. Choose "File" --> "Apply" to save the data.
Note: Contrary to the message that appears, you do not need to restart the server or cluster for this change to take effect.
6. Finally restart SDM server.
Then deploy.
Refer SAP note 701654
Regards,
Mithu

Problem mapping LoginModule roles to ejb security roles

I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
LoginContext lc = new LoginContext("current-workspace-app", cbh);
lc.login();
I then perform a lookup on a bean using the same user:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
env.put("java.naming.security.principal",username);
env.put("java.naming.security.credentials",password);
env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
Context ic = new InitialContext(env);
final SessionEJBHome sessionEJBHome =
(SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
Finally, I create an instance of the bean and call a method of this bean.
SessionEJB sessionEJB;
sessionEJB = sessionEJBHome.create( );
sessionEJB.testMe( );
I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
"username is not allowed to call this EJB method"
When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
Thanks
PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
     <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
   <security-role-map>
      <role-name>test</role-name>
      <server-role-name>myUMErole</server-role-name>
   </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

Security credentials in J2EE

Similar Messages

Maybe you are looking for