• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

EJB Security: allowing any authenticated user  RSS feed

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all!
I would like to allow access in my EJB to any authenticated user, but not to un-authenticated users.
If I annotate the class with @PermitAll, it works somehow; all authenticated users can indeed invoke the bean's method. But so can users that are not authenticated.

Any ideas?

Regards

Alejandro
 
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
J2EE provides role based security. If you have to restrict access to the methods to authenticated users, you will have to add these users to some role and then use the @RolesAllowed annotation.
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see, kinda off what I feared...
Anyway, thank you!

Alejandro
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
upon further investigation I found a work around to my situation; accordind to my domain rules any un-authenticated invoker will receive a "guest" identity (with JBoss it's in the conf/login-config.xml file).
Thus, it was just a matter of creating an Interceptor that, with an injected SessionContext, validated that the principal's name is not equal to "guest".

See below my implementation

Bean class


@Stateless
@Interceptors(SecurityInterceptor.class)
public class SecurityBean implements SecurityRemote {

public void testSecurity() {

}
}




public class SecurityInterceptor {
@Resource SessionContext sessionContext;

@AroundInvoke
public Object securityCheck(InvocationContext ctx) throws Exception {

if (sessionContext.getCallerPrincipal().getName().equalsIgnoreCase("guest")) {
throw new SecurityException("No authenticated user provided");
}
return ctx.proceed();
}
}



Anyway, just wanted to share in case somebody finds himself/herself in this kind of situation.

Regards
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!