[jboss-dev-forums] [JBoss AS 7 Development] - JBoss 7 and Ejb remote call with security
Petr Mates
do-not-reply at jboss.com
Sat Feb 25 03:34:35 EST 2012
Petr Mates [https://community.jboss.org/people/mates1234] modified the document:
"JBoss 7 and Ejb remote call with security"
To view the document, visit: https://community.jboss.org/docs/DOC-17581
--------------------------------------------------------------
This article describes my tests with ejb and JBoss7.
For my test a have ear (TestEar) with one ejb module (TestEjb) and one bean (TestBean).
TestEar.ear
+---TestEjb.ejb
+--mates.test.TestBean.class
mates.test.TestBeanRemote.class
As security I use RealmUsersRoles with
*+x-users.properties+*
testX=test1234
*+x-users.properties+*
testX=bean
And now standalone.xml
and I changed ApplicationRealm
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="bean-sec-domain"/>
</authentication>
</security-realm>
and security domain
<security-domain name="bean-sec-domain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="defaultUsersProperties" value="file:/${jboss.server.config.dir}/x-users.properties"/>
<module-option name="defaultRolesProperties" value="file:/${jboss.server.config.dir}/x-roles.properties"/>
<module-option name="usersProperties" value="file:/${jboss.server.config.dir}/x-users.properties"/>
<module-option name="rolesProperties" value="file:/${jboss.server.config.dir}/x-roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
And now lets look at bean.
@Stateless
@DeclareRoles("bean")
public class TestBean implements TestBeanRemote {
@Resource
private EJBContext context;
@Override
@RolesAllowed("bean")
public String getName ()
{
getNameFree();
}
@Override
public String getNameFree ()
{
String aName = "";
if (context.getCallerPrincipal() != null) {
aName = context.getCallerPrincipal().getName();
}
return "name " + aName + " " + context.isCallerInRole("bean");
}
}
Let's secure EJB
add *+jboss-app.xml+* to TestEar.ear\META-INF. I use security domain other to ensure that i secure all beans.
<?xml version="1.0" encoding="UTF-8"?>
<p:jboss-app xmlns:p="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee ../../xsd/jboss-app_7_0.xsd ">
<security-domain>other</security-domain>
</p:jboss-app>
And I want to secure TestBean. I have to add *+jboss-ejb3.xml+* to TestEjb.jar\META-INF\. TestBean is secured by *bean-sec-domain*.
<?xml version="1.0" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="urn:security" version="3.1" impl-version="2.0">
<assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
<security:security xmlns:security="urn:security">
<security:security-domain>bean-sec-domain</security:security-domain>
<ejb-name>TestBean</ejb-name>
</security:security>
</assembly-descriptor>
</jboss:ejb-jar>
Remote interface is real simple with 2 methods.
Client:
Hashtable<String, Object> p = new Hashtable<String, Object>();
p.put(Context.INITIAL_CONTEXT_FACTORY, InitialContextFactory.class.getName());
p.put(Context.PROVIDER_URL, "remote://127.0.0.1:4447/");
p.put(InitialContext.SECURITY_PRINCIPAL, "testX");
p.put(InitialContext.SECURITY_CREDENTIALS, "test1234");
p.put("jboss.naming.client.ejb.context", true);
p.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
InitialContext c = new InitialContext(p);
TestBeanRemote vLookup = (TestBeanRemote) c.lookup("java:/TestEar/TestEjb/TestBean!"+ TestBeanRemote.class.getName());
System.out.println("x" + vLookup.getNameFree());
System.out.println("x" + vLookup.getName());
After this you can see
xname testX true
xsecured name testX true
*That's all.*
*And now some other tests:*
Most important mart is
+*p.put("jboss.naming.client.ejb.context", true);*+
without this property you will see "+No EJB receiver available for handling [appName:TestEar,modulename:TestEjb,distinctname:] combination+"
when you put in class path file *+jboss-ejb-client.properties+* with standard
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=x1
remote.connection.x1.host=127.0.0.1
remote.connection.x1.port = 4447
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
and comment +*p.put("jboss.naming.client.ejb.context", true);*+
and in console is now
xname $local false
Exception in thread "main" javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String mates.test.TestBeanRemote.getName() of bean: TestBean is not allowed
+*jboss.naming.client.ejb.context*+ setup EJBContext on client side. See *+org.jboss.naming.remote.client.InitialContextFactory+*
+*
*+
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17581]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120225/d7885644/attachment.html
More information about the jboss-dev-forums
mailing list