• Post Reply Bookmark Topic Watch Topic
  • New Topic

EJB Security: allowing any authenticated user  RSS feed

 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all!
I would like to allow access in my EJB to any authenticated user, but not to un-authenticated users.
If I annotate the class with @PermitAll, it works somehow; all authenticated users can indeed invoke the bean's method. But so can users that are not authenticated.

Any ideas?

Regards

Alejandro
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
J2EE provides role based security. If you have to restrict access to the methods to authenticated users, you will have to add these users to some role and then use the @RolesAllowed annotation.
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see, kinda off what I feared...
Anyway, thank you!

Alejandro
 
Alejandro Dominguez
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
upon further investigation I found a work around to my situation; accordind to my domain rules any un-authenticated invoker will receive a "guest" identity (with JBoss it's in the conf/login-config.xml file).
Thus, it was just a matter of creating an Interceptor that, with an injected SessionContext, validated that the principal's name is not equal to "guest".

See below my implementation

Bean class

@Stateless
@Interceptors(SecurityInterceptor.class)
public class SecurityBean implements SecurityRemote {

public void testSecurity() {

}
}



public class SecurityInterceptor {
@Resource SessionContext sessionContext;

@AroundInvoke
public Object securityCheck(InvocationContext ctx) throws Exception {

if (sessionContext.getCallerPrincipal().getName().equalsIgnoreCase("guest")) {
throw new SecurityException("No authenticated user provided");
}
return ctx.proceed();
}
}


Anyway, just wanted to share in case somebody finds himself/herself in this kind of situation.

Regards
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!