Google Site Search


Monday, May 5, 2008

Primer on EJB Security

In this blog post, I will try to provide a short primer on security with EJBs.

Client Side:
For EJBs, you can pass the security context from client side in two ways:
a) Username/Password via properties into initial context
Properties p = new Properties();
p.put(Context.SECURITY_PRINCIPAL, "principalName");
p.put(Context.SECURITY_CREDENTIALS, "pass");
Context ic = new InitialContext(p);
Object ejbHome = ic.lookup("someejb");
AccountHome accountHome = (AccountHome)javax.rmi.PortableRemoteObject.narrow(ejbHome, AccountHome.class);

b) Do an explicit JAAS login before doing InitialContext
LoginContext lc = new LoginContext("someconfig");
Context ic = new InitialContext();
Object ejbHome = ic.lookup("someejb");
AccountHome accountHome =(AccountHome)javax.rmi.PortableRemoteObject.narrow(ejbHome, AccountHome.class);

NOTE: Do not forget your try/catch/finally blocks above.

General JNDI security is highlighted here:

Server Side:
On the server side, the EJBs are packaged in a jar file. This jar file can also be packaged in an EAR (Enterprise Archive). For EJB2, the security descriptors go in the ejb-jar.xml via the method permission elements. You define the roles that can access the methods of EJBs. You can also define "run-as-identity" to propagate a role to other deployments.

Do remember to create a jboss.xml to define a security domain.

No comments: