Win a copy of Hands On Software Engineering with Python this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Bear Bibeault
  • Knute Snortum
  • Liutauras Vilda
Sheriffs:
  • Tim Cooke
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Ron McLeod
  • Ganesh Patekar
  • salvin francis
Bartenders:
  • Tim Holloway
  • Carey Brown
  • Stephan van Hulst

EJB Security: allowing any authenticated user  RSS feed

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all!
I would like to allow access in my EJB to any authenticated user, but not to un-authenticated users.
If I annotate the class with @PermitAll, it works somehow; all authenticated users can indeed invoke the bean's method. But so can users that are not authenticated.

Any ideas?

Regards

Alejandro
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
J2EE provides role based security. If you have to restrict access to the methods to authenticated users, you will have to add these users to some role and then use the @RolesAllowed annotation.
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see, kinda off what I feared...
Anyway, thank you!

Alejandro
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
upon further investigation I found a work around to my situation; accordind to my domain rules any un-authenticated invoker will receive a "guest" identity (with JBoss it's in the conf/login-config.xml file).
Thus, it was just a matter of creating an Interceptor that, with an injected SessionContext, validated that the principal's name is not equal to "guest".

See below my implementation

Bean class


@Stateless
@Interceptors(SecurityInterceptor.class)
public class SecurityBean implements SecurityRemote {

public void testSecurity() {

}
}




public class SecurityInterceptor {
@Resource SessionContext sessionContext;

@AroundInvoke
public Object securityCheck(InvocationContext ctx) throws Exception {

if (sessionContext.getCallerPrincipal().getName().equalsIgnoreCase("guest")) {
throw new SecurityException("No authenticated user provided");
}
return ctx.proceed();
}
}



Anyway, just wanted to share in case somebody finds himself/herself in this kind of situation.

Regards
 
After some pecan pie, you might want to cleanse your palatte with this tiny ad:
Programmatically Create PDF Using Free Spire.PDF with Java
https://coderanch.com/wiki/703735/Programmatically-Create-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!