• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • paul wheaton
  • Jeanne Boyarsky
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
  • Himai Minh
Bartenders:

simplest way to restrict access to remote EJB calls

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried asking this at the weblogic forum on oracle.com but haven't gotten any reply, so I hope someone can help here, it's a general JEE/EJB quesiton on security:

I'm using weblogic 10.3 and I'm new to security with EJB's. I was looking at the documentation at http://docs.oracle.com/cd/E13222_01/wls/docs103/ConsoleHelp/taskhelp/security/ManageSecurityForDD.html
but got a little overwhelmed by the many options on how to implement security. Plus, I am getting confused between JNDI security and EJB layer security (they're not the same thing, right?)

Can someone explain what the simplest way would be to prevent an "unauthorized" client to make remote EJB calls? For example, I know of the ConnectionFilters that you can implement in weblogic, which can prevent remote callers from making T3 or IIOP calls if they're not from an authorized IP, etc. This is a good start but ideally I would want to password protect the EJBs, and any EJB client would have to provide this username/password somehow. Or possibly use two-way SSL for t3? The client app would have to provide a certificate to prove that it's trusted.

To be clear, I don't think I need the container to handle any very fine-grained access control. I just want to make sure that the client (e.g., a webapp) is a trusted one. Once the EJB container is satisfied that the client is trusted (preferably by user/pass) then the client is free to execute any EJB methods.

Thanks in advance.
 
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why not use JAAS to secure your EJBs and then your remote clients need to add
to their context lookup properties.
See if this explains better :http://docs.oracle.com/cd/B32110_01/web.1013/b28957/ejbsec.htm
 
john ho
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ok, thanks for the reply ... but what you are describing is JNDI lookup security, isn't it? I saw this thread:

https://forums.oracle.com/forums/thread.jspa?threadID=1093427

If I understand the first reply, from "Jay", that doing this only forces authentication for the EJB lookup, but that is different from security on the EJB's themselves.

However, if I'm only worried about remote invocation of the EJB's, is JNDI authentication sufficient to prevent "rogue" applications from making the EJB calls?

Put another way: without JNDI lookup, is there any other way a client application can still call the EJBs remotely?

Thanks
 
reply
    Bookmark Topic Watch Topic
  • New Topic