geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Role-based security in EJB methods
Date Mon, 14 May 2007 22:57:43 GMT

On May 14, 2007, at 2:24 PM, Christopher Blythe wrote:

> David...
>
> Thanks for the reply... Here are some more specifics. I am working  
> with Geronimo 1.1.1 and attempting to add role-based security to  
> DayTrader (with the help of Surya Duggirala). He has added the  
> necessary security tags to the web.xml and ejb-jar.xml and I am  
> simply trying to figure out the deployment plans for Geronimo.
>
> Thus far I have done the following...
>
> Added the security realm to the <web-app> portion of the deployment  
> plan to secure a URL in the web archive.
> <security-realm-name>daytrader-realm</security-realm-name>
>
> I have also added the following to the <openejb-jar> portion of the  
> plan to secure one of the session EJBs.
>
>       <security>
>         <default-principal realm-name="daytrader-realm">
>           <principal name="anonymous"  
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci 
> pal"/>
>         </default-principal>
>         <role-mappings>
>           <role role-name="grp1">
>             <realm realm-name="daytrader-realm">
>               <principal name="group1" class="  
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
>             </realm>
>           </role>
>         </role-mappings>
>       </security>
>

You can only specify one <security> element in all the geronimo plans  
for an app, and it doesn't really matter where you put it.  The  
security deployer is supposed to object if it finds more than one,  
but it's possible this feature isn't working in that geronimo version.

> When I access the secured URL, I am asked to provide my credentials  
> as expected. So, that appears to be working correctly. However, I'm  
> not really sure how to verify that my method level permissions on  
> the secured Session bean are being respected.
>
> I can access the session bean via a non-secured URL that bypasses  
> the security configuration in the war. If the security  
> configuration for my ejb was being used, I would expect some form  
> of exception to be thrown when I try to access it via my non- 
> secured URL (since I have not provided my credentials), but I do  
> not. This leads me to believe that I'm missing something.

That sounds fishy, but it's hard to tell without all the security  
configuration stuff to look at.  Are the secured dds in svn?  If not  
can you supply them, perhaps attached to a daytrader jira together  
with the plan(s) you are trying?

thanks
david jencks

>
> Any thoughts?
>
> Thanks again...
>
> Chris
>
> On 5/14/07, David Jencks <david_jencks@yahoo.com > wrote:
>
> On May 14, 2007, at 10:33 AM, Christopher Blythe wrote:
>
> > Was wondering if there are any samples or tests for Geronimo that
> > use role-based authentication for EJB methods?
> >
> > More specifically, I was wondering how to configure the role
> > mappings in the Geronimo deployment plan. Most of the samples out
> > there revolve around the war, but I have not found anything
> > relating to the EJB jar.
>
> The role>> permission mapping is specified in the spec dd or via
> annotations.
>
> The part in the geronimo plan is a principal<< role mapping which
> works the same way for wars and ejb jars.
>
> I don't know if there are easy to find examples.  If this doesn't
> clear it up can you ask a more specific question?
>
> thanks
> david jencks
>
> >
> > Thanks...
> >
> > Chris
> >
> > --
> > "I say never be complete, I say stop being perfect, I say let...
> > lets evolve, let the chips fall where they may." - Tyler Durden
>
>
>
>
> -- 
> "I say never be complete, I say stop being perfect, I say let...  
> lets evolve, let the chips fall where they may." - Tyler Durden


Mime
View raw message