geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Spring Security & securing EJBs in Geronimo
Date Fri, 24 Oct 2008 22:32:14 GMT

On Oct 24, 2008, at 3:11 PM, jayess wrote:

>
> Hi. I'm doing a little investigation to see if we can use Spring  
> Security for
> the web tier and still have have the EJBs secured by the container  
> (as I
> understand Spring Security can't be used for EJBs - am I wrong?). The
> customer wants to use Spring Security. And this is just  
> investigative work
> to find possible approaches.
>
> End result is that I want to be able to secure the EJBs using  
> annotations.
>
> I have a EAR file deployed to Geronimo (Jetty). In the EAR, I have a  
> simple
> WAR file that is secured by Spring Security (i.e. all web resources  
> are
> protected properly). I've enabled authentication/authorization at  
> this level
> and it works fine. For the EJBs, I've added @RolesAllowed  
> annotations to my
> EJBs and I've enabled EJB security by adding an empty <security/>  
> tag in the
> geronimo-application.xml. Now my EJBS are secure (I get a  
> "Unauthorized
> Access by Principal Denied" when I try to access them).
>
> Now I need to tie the two securities together. I am thinking that I  
> could
> create a servlet filter that "hooks into" geronimo security as  
> follows:
>
>   :
>   Subject subject = new Subject();
>   subject.getPrincipals().add(...);
>   ContextManager.setCurrentCallers(subject,subject)

That's close to what should work....

First, if you can get the principals I imagine you can get the Subject  
out of Spring security and use it rather than constructing another one.

Next, for geronimo's JACC Implementation to work you have to register  
the Subject so we can pre-compute the AccessControlContext for the  
subject.

Finally, the ContextManager.setCurrentCallers(subject,subject) is  
correct.  So I think something like this ought to work:

Subject subject = extractSubjectFromTheDeathGripOfSpring();
ContextManager.registerSubject(subject);
ContextManager.setCurrentCallers(subject,subject);

If Spring successfully hides the subject but lets you see the  
principals then constructing a Subject as you do above ought to work  
too.

Hope this helps
david jencks

>
>   :
>
> However I am having problems. When I try to access a secured EJB  
> (after
> authentication in Spring), I get the following error:
>
> java.lang.NullPointerException
> 	at
> org 
> .apache 
> .geronimo 
> .security.ContextManager.getCurrentContext(ContextManager.java:164)
> 	at
> org 
> .apache 
> .geronimo 
> .openejb 
> .GeronimoSecurityService 
> .isCallerAuthorized(GeronimoSecurityService.java:101)
> 	at
> org 
> .apache 
> .openejb 
> .core.stateless.StatelessContainer.invoke(StatelessContainer.java:142)
> 	at
> org 
> .apache 
> .openejb 
> .core 
> .ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java: 
> 217)
> 	at
> org 
> .apache 
> .openejb 
> .core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
> 	at
> org 
> .apache 
> .openejb 
> .core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:321)
> 	at
> org 
> .apache 
> .openejb 
> .util 
> .proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)
>
>
> So my questions:
> 1. Is there a way to hook into Geronimo security? If so how do I  
> create the
> Subject properly so that Geronimo can use it?
> 2. Given that we want to use "Spring Security" for the web tier, but  
> want
> our EJBs secured ... is there a better approach?
>
> I'm new to security in general and any advice would be greatly  
> welcomed.
> Also, to reiterate, we have not decided to use Spring Security but  
> need to
> investigate if it's even doable - given the fact we are deploying to
> Geronimo and do want our EJBs secured by annotations.
>
> Thanks so much!!!!
>
>
>
>
> -- 
> View this message in context: http://www.nabble.com/Spring-Security---securing-EJBs-in-Geronimo-tp20158641s134p20158641.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>


Mime
View raw message