geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jayess <js...@yahoo.ca>
Subject Spring Security & securing EJBs in Geronimo
Date Fri, 24 Oct 2008 22:11:44 GMT

Hi. I'm doing a little investigation to see if we can use Spring Security for
the web tier and still have have the EJBs secured by the container (as I
understand Spring Security can't be used for EJBs - am I wrong?). The
customer wants to use Spring Security. And this is just investigative work
to find possible approaches.

End result is that I want to be able to secure the EJBs using annotations.

I have a EAR file deployed to Geronimo (Jetty). In the EAR, I have a simple
WAR file that is secured by Spring Security (i.e. all web resources are
protected properly). I've enabled authentication/authorization at this level
and it works fine. For the EJBs, I've added @RolesAllowed annotations to my
EJBs and I've enabled EJB security by adding an empty <security/> tag in the
geronimo-application.xml. Now my EJBS are secure (I get a "Unauthorized
Access by Principal Denied" when I try to access them). 

Now I need to tie the two securities together. I am thinking that I could
create a servlet filter that "hooks into" geronimo security as follows:

   :
   Subject subject = new Subject();
   subject.getPrincipals().add(...);
   ContextManager.setCurrentCallers(subject,subject)
   :

However I am having problems. When I try to access a secured EJB (after
authentication in Spring), I get the following error:

java.lang.NullPointerException
	at
org.apache.geronimo.security.ContextManager.getCurrentContext(ContextManager.java:164)
	at
org.apache.geronimo.openejb.GeronimoSecurityService.isCallerAuthorized(GeronimoSecurityService.java:101)
	at
org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:142)
	at
org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
	at
org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
	at
org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:321)
	at
org.apache.openejb.util.proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)


So my questions:
1. Is there a way to hook into Geronimo security? If so how do I create the
Subject properly so that Geronimo can use it?
2. Given that we want to use "Spring Security" for the web tier, but want
our EJBs secured ... is there a better approach? 

I'm new to security in general and any advice would be greatly welcomed.
Also, to reiterate, we have not decided to use Spring Security but need to
investigate if it's even doable - given the fact we are deploying to
Geronimo and do want our EJBs secured by annotations.

Thanks so much!!!!




-- 
View this message in context: http://www.nabble.com/Spring-Security---securing-EJBs-in-Geronimo-tp20158641s134p20158641.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.


Mime
View raw message