• Post Reply Bookmark Topic Watch Topic
  • New Topic

Run-As Security Identity  RSS feed

 
Jason Nesbitt
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an ejb that is exposed as a web service so that one of our external business partners can interact with our system. I only want to give them access to the web service and not the ejb's that the web service calls so it seems that using the run-as security identity would be appropriate here. However, this introduces a side effect into the system. Some of the things that the ejbs do that the web service calls are dependent upon the current callers identity and it is important here that they know that the caller IS the external business partner.
Is there a way to determine who a caller REALLY is while allowing them to run with the upgraded permissions from another role? If not, is there a better design stategy that I could apply here which might be a more elegant solution?

Thank you
 
Stan Sokolov
Ranch Hand
Posts: 120
Hibernate IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is my own opinion. Don't map EJB to WS at all. Use simple servlet handler isntead. This servlet can be used only to intercept WS calls. After servlet has intercepted a request it should set user identity to whatever you want and then call EJB, passing some additional attribute with user identity to the EJB. If you want to verify client identity on each WS call then you need to use XML security that can add digital signature to SOAP request. You can identify caller by this signature. Webservices don't use cookies or something like that so you could not verify identity of the client only once - you must do it again on the every call. AXIS framework recomends to use special filters for this proposes.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!