March 2010 - jboss-dev-forums - Jboss List Archives

[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"

by jaikiran pai

JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531682#531682 Author : jaikiran pai Profile : http://community.jboss.org/people/jaikiran Message: -------------------------------------------------------------- > mailto:anil.saldhana@jboss.com wrote: > > That behaves as an "unchecked" operation. Now either we can centralize all security operations in the security layer (including the @PA check) or we can add code to the integration layer (here the ejb3 interceptor) to not invoke the security layer, for performance benefit. > > For this particular case, it makes sense to do the latter. While discussing this with Carlo, he brought up an interesting point related to auditing - Does skipping this authorization from the integration points (like this EJB3 code) result in any side-effects to any security auditing that might be happening through the security APIs? If yes, then maybe centralizing this kind of optimization within the security layer would be a better option. -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531682#531682

16 years

1
0
0 / 0

[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"

by Darran Lofthouse

JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531680#531680 Author : Darran Lofthouse Profile : http://community.jboss.org/people/darran.lofthouse@jboss.com Message: -------------------------------------------------------------- Is this only the authorization this is looking to skip or the authentication as well? -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531680#531680

16 years

1
0
0 / 0

[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"

by ANIL SALDHANA

JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531679#531679 Author : ANIL SALDHANA Profile : http://community.jboss.org/people/anil.saldhana@jboss.com Message: -------------------------------------------------------------- Also I think I will have to eventually fix the security helper classes to take in method arguments that are small in number and not a mile long. -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531679#531679

16 years

1
0
0 / 0

[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"

by ANIL SALDHANA

JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531678#531678 Author : ANIL SALDHANA Profile : http://community.jboss.org/people/anil.saldhana@jboss.com Message: -------------------------------------------------------------- That behaves as an "unchecked" operation. Now either we can centralize all security operations in the security layer (including the @PA check) or we can add code to the integration layer (here the ejb3 interceptor) to not invoke the security layer, for performance benefit. For this particular case, it makes sense to do the latter. -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531678#531678

16 years

1
0
0 / 0

[Clustering Development] New message: "JBCLUSTER Projects and Eclipse"

by Brian Stansberry

JBoss development, A new message was posted in the thread "JBCLUSTER Projects and Eclipse": http://community.jboss.org/message/531672#531672 Author : Brian Stansberry Profile : http://community.jboss.org/people/bstansberry@jboss.com Message: -------------------------------------------------------------- I want to clean up the eclipse integration with the JBCLUSTER projects. Basically I want all these projects to be purely m2eclipse based -- you import them into your eclipse workspace as a "Maven Project" not as an "Existing Project into Workspace". The maven pom drives everything and any eclipse-specific files are purely local to your environment. Cleaning this up for a project's development branch means: 1) Getting any eclipse-related files out of svn. 2) Adding any such files eclipse generates to svn:ignore. I'm not going to go through all the projects right now and fix this. But if anyone works on one of them, please keep this goal in mind and if you have a few spare minutes, clean up that project. -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531672#531672

16 years

1
0
0 / 0

[JBoss ESB Development] New message: "Re: Camel integration input requested"

by Edgar Silva

JBoss development, A new message was posted in the thread "Camel integration input requested": http://community.jboss.org/message/531653#531653 Author : Edgar Silva Email : edgarsilva(a)gmail.com Profile : http://community.jboss.org/people/edgar.silva Message: -------------------------------------------------------------- Easy, just send me your gmail account and we will add you there! We would love have your help there! Edgar -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531653#531653

16 years

1
0
0 / 0

[JBoss Web Services Development] New message: "drools application (project) on the web"

by Johanna Voxy

JBoss development, A new message was posted in the thread "drools application (project) on the web": http://community.jboss.org/message/531619#531619 Author : Johanna Voxy Profile : http://community.jboss.org/people/voxy Message: -------------------------------------------------------------- Hi guys, i'm pretty new in drools, and maybe it's a dummy question for you, but, i would like to run a project of drools on the web, and i don't know how to export/import my it, and how configure my web server to be abble to run the project on the web to allow my users to use it. For now, i just want to start with the HelloWory example, and the PetStore example i tried without any problem in my eclipse machine, and be abble to run these examples and the web... then, i will try with my real project. Any tips? Thanks all! -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531619#531619

16 years

1
0
0 / 0

[JBoss Portal Development WSRP] New message: "drools application (project) on the web"

by Johanna Voxy

JBoss development, A new message was posted in the thread "drools application (project) on the web": http://community.jboss.org/message/531618#531618 Author : Johanna Voxy Profile : http://community.jboss.org/people/voxy Message: -------------------------------------------------------------- Hi guys, i'm pretty new in drools, and maybe it's a dummy question for you, but, i would like to run a project of drools on the web, and i don't know how to export/import my it, and how configure my web server to be abble to run the project on the web to allow my users to use it. For now, i just want to start with the HelloWory example, and the PetStore example i tried without any problem in my eclipse machine, and be abble to run these examples and the web... then, i will try with my real project. Any tips? Thanks all! -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531618#531618

16 years

1
0
0 / 0

[JBoss Web Development] New message: "drools application on the web"

by Johanna Voxy

JBoss development, A new message was posted in the thread "drools application on the web": http://community.jboss.org/message/531617#531617 Author : Johanna Voxy Profile : http://community.jboss.org/people/voxy Message: -------------------------------------------------------------- Hi guys, i'm pretty new in drools, and maybe it's a dummy question for you, but, i would like to run a project of drools on the web, and i don't know how to export/import my it, and how configure my web server to be abble to run the project on the web to allow my users to use it. For now, i just want to start with the HelloWory example, and the PetStore example i tried without any problem in my eclipse machine, and be abble to run these examples and the web... then, i will try with my real project. Any tips? Thanks all! -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531617#531617

16 years

1
0
0 / 0

[Security Development] New message: "EJB3 security - Skip authorization for @PermiAll?"

by jaikiran pai

JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531585#531585 Author : jaikiran pai Profile : http://community.jboss.org/people/jaikiran Message: -------------------------------------------------------------- I was looking at a thread in the EJB3 forum which was talking about poor performance of a bean method invocation when the bean is marked with a @SecurityDomain, as compared to a similar bean without any @SecurityDomain. The bean is like this: @Stateless @Local(Ping.class) @SecurityDomain(unauthenticatedPrincipal = "anonymous", value="other") @PermitAll @LocalBinding (jndiBinding=BeanWithSecurityDomain.JNDI_NAME) public class BeanWithSecurityDomain implements Ping { public static final String JNDI_NAME = "SecurityDomainBean"; /** * @see org.jboss.ejb3.test.perf.Ping#ping() */ public String ping() { return "pong1"; } } Notice the use of @PermitAll. In the EJB3 security related interceptor org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2 i notice that even if the class/method is marked for @PermitAll, the code leads to a authorization call: boolean isAuthorized = helper.authorize(ejbName, mi.getMethod(), sc.getUtil().getUserPrincipal(), iface, ejbCS, sc.getUtil().getSubject(), callerRunAs, contextID, new SimpleRoleGroup(methodRoles)); The authorization call is expensive. My understanding of @PermitAll was that we would skip this authorization altogether. Is there any reason why we have to authorize even when the bean is marked for @PermitAll? -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531585#531585

16 years

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-dev-forums March 2010