WebServices and J2EE security
I've got a generic question here, and maybe some of you already experienced it.
I did not have the opportunity yet to read about J2EE security (actually I won a book here on that subject 2 months ago but still waiting to receive it), so please don't bash me if my questions are silly.
I have some webServices acting as a facade to a J2EE aplication.
Application's security is done via the container (J2EE, declarative)
Once the WebService is called, is there a way to "give" the container some credentials, in order to let it deals with the authorization stuffs, according to roles associated to my EJB methods. ??
Or is this something only a J2EE 1.4 App. Server will be able to do with Java ACC (JSR 115) ?
Kyle, your advices are welcome here (as usual) as my App Server is Websphere 5
/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
Come on Bill, Lasse, HS, Kyle or anyone out there !
Shoul my question be posted somewhere else. Maybe the J2EE thread is more appropriate
[ May 27, 2003: Message edited by: Jean-Louis Marechaux ]
/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
Sheriff
Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
I guess you are looking for a solution that provides seamless access to components the right level of security, and want to avoid anything that will be a frequent support problem .
Don't know anything about J2EE 1.4 App Servers but but I'm surmising that the responsibility lies with the component deployer, so there should be a J2EE equivalent(within the jacc ?) to set permissions at runtime.
Good question. I hadn't thought of this issue. Could be contentious.The following may help.
Looks as though it's up to your policy provider.
The J2EE Servlet and EJB containers serve as an authorization boundary between callers and container-hosted components. When a container receives a request for a component, it determines if the caller has been granted permission to perform the request on the component. Both the Servlet and EJB APIs also provide an interface for a component to ask its container if its caller has been granted the permissions that correspond to an identified role.
The J2SE security architecture provides a fine-grained access control mechanism based on a policy-driven permission model.
For the J2SE reference implementation, the policy is represented external to the Java runtime using a simple syntax that grants permissions to authenticated entities. Authenticated entities are modeled by the java.security.CodeSource class and classes that implement the java.securityPrincipal interface.
The java.security.Policy class defines methods that are implemented by a policy provider. It is the role of the policy provider to map the external security policy to the collections of permissions granted to authenticated entities.
Any help ?
I have some webServices acting as a facade to a J2EE aplication.
May also depend on who is calling who ? A J2EE application can call a Web Service component(who'll presumably be the policy provider in this case).
In your example the policy provider may be centred around the J2EE application.
Yes, but HOW I hear you ask. Sorry , don't know.
regards
[ May 28, 2003: Message edited by: HS Thomas ]
But when the caller is a webService, I need a hook to perform authentication using the J2EE container.
And I'm not sure whether this is possible or if I have to forget container-managed security....
I wonder if this "hook" is available with J2EE 1.3 app server or if it is what JACC is all about (J2EE 1.4)
/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
Ranch Hand
However, even without the Web Service Tech Preview, if you secure your Web Services servlet (the router servlet) and use basic HTTP authorization (which M$, JAX-RPC, Apache SOAP, Axis and every other toolkit supports) then the credentials will be passed through correctly.
Kyle
Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
As a matter of fact, it came to me that WebServices are "just" a servlet.
So securing the servlet (rpcrouter in my case) should theorically work. Not tested it yet with WebSphere 5.
[ June 02, 2003: Message edited by: Jean-Louis Marechaux ]
/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
|