geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shailen <khichi.shailen...@gmail.com>
Subject Re: why we need to provide security realm name to a standalone ejb client?
Date Wed, 02 Feb 2011 11:41:28 GMT
Yes Juergen, I second you.
I have fixed my problem and I am happy to see geronimo has implemented 
what you have said for webservices. see below:

<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>SampleImp</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>sample-realm</ejb:security-realm-name>
<ejb:realm-name>sample-realm</ejb:realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>

This is the code in openejb-jar.xml.  Here we are explicitly defining to 
use sample-realm for webservice exposed by  SampleImp EJB. I am able to 
call the webservice using the principal credentials.

I am still not very sure why geronimo can't geronimo has 
<ejb:ejb-security> like follows:

<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>SampleImp</ejb:ejb-name>
<ejb:ejb-security>
<ejb:security-realm-name>sample-realm</ejb:security-realm-name>
</ejb:ejb-security>
</ejb:session>
</ejb:enterprise-beans>

Can someone please put more light on it?

Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062


On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
> One could rather argue that a client should not know about an ejb's security
> configuration. This should be only known in the ejb configuration, and
> nowhere else, definitivly not on the client. The ejb deployer should be able
> to switch from one security realm to another, without the client knowing.
>> there's no easy way to predict which application's ejb or which ejb you
>> want to call
> I understand this is because security lookup is done during creation of the
> InitialContext and the lookup with JNDI name is done in the next call.
>
> An alternative would be to define an order of security realm lookups.
>
> Greetings,
> Juergen
>
>
>
>
>
> David Jencks wrote:
>> This is the right place to ask this question.
>>
>> Geronimo lets you set up many security realms at once.  When you connect
>> from a remote client to call ejbs, there's no easy way to predict which
>> application's ejb or which ejb you want to call.  So you have to specify
>> how you want to log in when you connect.
>>
>> We could allow specifying a default security realm for all of openejb so
>> if you don't specify a realm we use the default.
>>
>> thanks
>> david jencks
>>
>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>
>>> Hi All,
>>>
>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>> standalone java client, it restricts me from accessing it without
>>> authentication.
>>>
>>> But when I provide this principal and credentials then also it restricts
>>> me from calling this ejb.
>>> When I additionally provide realmName then it enables me to call this
>>> ejb.
>>>
>>> My question is why do we need to provide the security realm name in the
>>> client?
>>>
>>> I am sorry if this is not the right place to ask such questions.
>>> -- 
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>
>>

Mime
View raw message