• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

EJB Security: allowing any authenticated user

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi to all!
I would like to allow access in my EJB to any authenticated user, but not to un-authenticated users.
If I annotate the class with @PermitAll, it works somehow; all authenticated users can indeed invoke the bean's method. But so can users that are not authenticated.

Any ideas?

Regards

Alejandro
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
J2EE provides role based security. If you have to restrict access to the methods to authenticated users, you will have to add these users to some role and then use the @RolesAllowed annotation.
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see, kinda off what I feared...
Anyway, thank you!

Alejandro
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
upon further investigation I found a work around to my situation; accordind to my domain rules any un-authenticated invoker will receive a "guest" identity (with JBoss it's in the conf/login-config.xml file).
Thus, it was just a matter of creating an Interceptor that, with an injected SessionContext, validated that the principal's name is not equal to "guest".

See below my implementation

Bean class


@Stateless
@Interceptors(SecurityInterceptor.class)
public class SecurityBean implements SecurityRemote {

public void testSecurity() {

}
}




public class SecurityInterceptor {
@Resource SessionContext sessionContext;

@AroundInvoke
public Object securityCheck(InvocationContext ctx) throws Exception {

if (sessionContext.getCallerPrincipal().getName().equalsIgnoreCase("guest")) {
throw new SecurityException("No authenticated user provided");
}
return ctx.proceed();
}
}



Anyway, just wanted to share in case somebody finds himself/herself in this kind of situation.

Regards
 
They worship nothing. They say it's because nothing lasts forever. Like this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic