• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Websphere Security for v5.1

 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Websphere mentioned that it is following the J2ee declarative manner for Authorization of Users. In my application deployed on
Websphere v5.1 my requirement is to Authenticate as well as Authorize users using a Programmatic manner i.e i dont want to define the
Roles etc in the Deployment Descriptor and instead will define it programmatically in my EAR. Is this possible in Websphere and if yes
the how ?
My requirement is to generate Roles dynamically when the application is deployed. If I make use of the Declarative manner for defining
roles etc in the deployment descriptor , then each time i have a new Role to be added to my application , i'll haev to re-deploy my
application . Instead if i do the same programmatically then i dont need to worry of re-deploying my application each time and instead
just use the Database tables in my case Oracle9i for the list of Roles , Users etc defined for the application.
Is this possible?

thanx
aanchal.
 
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No this is not possible. This is not the way the J2EE spec or WebSphere works.

Kyle
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When the user logs in you could cache his session or SSB with a collection of roles.

When he tries to run a secure method, you load the collection of roles authorized to run the method.

Collection intersection = AllowedRoles.retainAll( UserRoles );

if ( intersection.isEmpty() ) { throw new securityException }
[ May 19, 2004: Message edited by: Ramon Cucharo ]
 
Kyle Brown
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But that solution:

(a) Doesn't hook into J2EE security, leaving the app server unsecured and open for intrusion and
(b) Requires you to add code in each secured method -- what happens if you miss one?

It's best to just do things the standard J2EE way. So you have to redeploy your app when roles change -- that RARELY happens. Don't create problems where they don't exist.

Kyle
 
Ramon Cucharo
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sometimes bosses or customers can be unreasonable. Otherwise, I agree with you, Kyle.
 
aanchal mathur
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I agree with both of u , but Kyle its true at times Customers can be unresonable and we just have to do it.

So now what i am goin to do is define a Role in the ejb-jar.xml file which will be used to authorize all users who log into the application . And then anyways progarmmatically in all methods we get tthe Roles from the database based on the PRincipal of that user.
Am i correct or am i missin out on smethin.

Kyle,
I'm not sure wat u mean by

Doesn't hook into J2EE security, leaving the app server unsecured and open for intrusion

.
Can u give me more details.. i've read about it , but not sure of leaving the app server unsecured or the applications deployed in it as unsecured?
i.e For example, if i do implement programtic security will it affect the entire app server secuirty or just the applications security. Also i'm talkin terms of a general J2EE app server and not just Websphere.
Please give me you comments about the same.

Ramon,
Could you elaborate more on what u mentioned about Caching a user's session. I wasnt clear so if you could tell me which method to modify in File implementing the USerRegistry for implementing what you mentioned.Or wat procedure do proceed with instead of addding the Role in the ejb-jar.xml file.

thanx
aanchal.
[ May 20, 2004: Message edited by: aanchal mathur ]
 
Kyle Brown
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by aanchal mathur:
Hi,

I agree with both of u , but Kyle its true at times Customers can be unresonable and we just have to do it.

So now what i am goin to do is define a Role in the ejb-jar.xml file which will be used to authorize all users who log into the application . And then anyways progarmmatically in all methods we get tthe Roles from the database based on the PRincipal of that user.
Am i correct or am i missin out on smethin.




If you do things that way (have your system secured under one J2EE role and then do "additional" checks afterwards) then at least your EJB's and servlets will be locked down from casual intrusion. That's an OK compromise in your case. However, case (2) still applies -- this is a lot of coding and it will be easy to miss things...

Kyle
 
Ramon Cucharo
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
something like


...

now in the authentication servlet

 
aanchal mathur
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thnax guys..

I'm done with the Security part of my application with Websphere.


But now i have a question about the JNDI naming for which i'll open a new post.

aanchal.
 
aanchal mathur
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi...

My application is finally up and runnin but i still have a few doubts which i need to be cleared.
As mentioned earlier i have 1 Role defined in the ejb-jar.xml file which is globally used for websphere authorization. Hence while deployin the Application , in websphere , on the "Select UserRole page i check the "AllAuthenticated" checkbox i.e it shuld authorize the Role for all Authentciated Users.

Since i have a web-based application i am making use of Basic Authentciation . So since i wanted only a few action files (*.do files of struts framework) to be as the protected pages so i added only them to the web.xml file.
e.g < url-pattern > /tree.do < /url-pattern >
But the jsp pages which were the called by the "Forward" method of the same protected Action file , seemed to always fire the "UnAuthorized Exception" i.e /UnAuthenticated user . When on the jsp page it would check the request.getRemoteUser() , it will always show as "Null".
But when in the web.xml i would put the entire application as "protected" i.e
< url-pattern > /* < /url-pattern >

Then in this case my application would work fine and give no UnAuthnticated Exception etc.
Can anyone tell me why?
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic