• Post Reply Bookmark Topic Watch Topic
  • New Topic

Setting up security in JAVA EE6 Webservice

 
Rens Groenveld
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear Java Developers,

I am currently researching how Java EE6 Security can secure our applications using GlassFish. I know how to make realms, roles and users.
I managed to get a nice basic login with a servlet. 'Normal'users were not allowed to see an admin page, while an admin user was,
so that test worked out nicely.

Now however, I want to step a little bit deeper into it.

The idea is that I host a webservice using an EJB container.
This webservice does not know anything about it's callers so I figured the caller has to send credentials (username and password) along with the call.
The webservice could then authenticate the user and could then, based on this, allow or deny access to methods.

The thing is, that I have no clue on how to check 2 strings (username and password) and set up a role for the callers within the webservice.

I know this API should help me out:
http://docs.oracle.com/javaee/1.4/api/javax/ejb/EJBContext.html

But it doesn't give me a clear understanding on how to do this. All it says to me is that I can check certain properties when the user is already in a role,
but since it's a webservice, there is no role yet... I have to create it first, but how?

Also, I know that GlassFish supports sign on through LDAP, which is the end goal I am working towards. Perhaps any ideas on how to do that correctly?
What would be the best way to approach this all?

Thanks in advance,

Rens
 
Tim Moores
Saloon Keeper
Posts: 3248
54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Username/password security is governed by a standard called "WS-Security" (which GlassFish implements).

This may be a starting point on how to configure that in GlassFish: http://docs.oracle.com/cd/E18930_01/html/821-2435/ablrn.html. It points to some further reading, and a sample WS.
I can't help with setting up LDAP with GlassFish, though, but that seems a fairly common task that should be documented in the GlassFish docs, or be google-able on it own.

Note that the page you linked to relates to J2EE 1.4, which is way older than JEE 6, and possibly obsolete.
 
Rens Groenveld
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Tim for your reply,

I have digged into what you said, but this is a total new and difficult approach for me as a student.

I figured something else out though, and that is that I can set a role with the following code:



It works, except now I want to do something like this before a method:


Unfortunatly that doesn't work yet, it gives me the following error:
INFO: JACC Policy Provider: Failed Permission Check, context(EE6TutorialEAR/EE6TutorialEJB_jar)- permission((javax.security.jacc.EJBMethodPermission EE6TutorialBean dumpCountries,ServiceEndpoint,java.lang.String,java.lang.String))


But I'll try to figure something out. What do you think of this approach though?
The idea now is:

A client makes a call to a webservice with username and password. The webservice has an interceptor on each method, and takes care of the login part with the given credentials.
Then, after the validator is finished, i use a @RolesAllowed("ADMIN") tag to tell that only admins should be allowed to use that method. That's my general idea... I'm not sure if it's really good though, as well, I'm still a student heheh. Any advice is welcome :-)

Thanks in advance

Rens
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!