geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shailen <>
Subject Re: why we need to provide security realm name to a standalone ejb client?
Date Thu, 03 Feb 2011 06:44:55 GMT
Again, geronimo is a system once I have authenticated myself to the 
system, then I am allowed to access application. But each 
component(example EJBs) will define its own authorization. If I have 
authorized myself to the component then I can access components. So the 
security is fine.
Now to call an EJB from a standalone client without passing the 
security-realm is the question.
First look says what David is suggesting seems reasonable.
May need more brain storming here.

Shailen (
Mohali, Chandigarh - 160062

On Thursday 03 February 2011 12:02 PM, Shailen wrote:
> ohh.. So jndi tree gets created when we create InitialContext.
> I found something which you  might be aware already.
> I have created a test security-realm. Now if I try to access my ejb 
> with this security-realm it is allowing me to access the object. But I 
> dont want this. My EJB is not secured this way.right ?
> I mean this is fishy as I dont want my EJB to be accessed by anyone 
> else using another security realm.
> Actually this is hack in security.
> May be we need to think more on other possible ways to escape from 
> this hack.
> Regards,
> Shailen (
> +91-9216020360
> Mohali, Chandigarh - 160062
> On Wednesday 02 February 2011 11:15 PM, David Jencks wrote:
>> The current ejb security is set up so that you need to have some 
>> credentials in some security realm in order to get the jndi tree.
>> I think you are asking for a set up so that you can get the jndi tree 
>> without any credentials but when you try to do a lookup you need to 
>> supply credentials appropriate for the object you are looking up.
>> At the moment I believe you can arrange to bind ejbs at any name you 
>> want.  In particular you can bind ejbs from different apps in the 
>> same subcontext.
>> What do you want to have happen when you try to list this subcontext, 
>> but you only have permission to access some of  the contents?
>> thanks
>> david jencks
>> On Feb 2, 2011, at 3:41 AM, Shailen wrote:
>>> Yes Juergen, I second you.
>>> I have fixed my problem and I am happy to see geronimo has 
>>> implemented what you have said for webservices. see below:
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:web-service-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> <ejb:realm-name>sample-realm</ejb:realm-name>
>>> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>>> <ejb:auth-method>BASIC</ejb:auth-method>
>>> </ejb:web-service-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>> This is the code in openejb-jar.xml.  Here we are explicitly 
>>> defining to use sample-realm for webservice exposed by  SampleImp 
>>> EJB. I am able to call the webservice using the principal credentials.
>>> I am still not very sure why geronimo can't geronimo has 
>>> <ejb:ejb-security> like follows:
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:ejb-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> </ejb:ejb-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>> Can someone please put more light on it?
>>> Regards,
>>> Shailen (
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>>>> One could rather argue that a client should not know about an ejb's security
>>>> configuration. This should be only known in the ejb configuration, and
>>>> nowhere else, definitivly not on the client. The ejb deployer should be able
>>>> to switch from one security realm to another, without the client knowing.
>>>>> there's no easy way to predict which application's ejb or which ejb you
>>>>> want to call
>>>> I understand this is because security lookup is done during creation of the
>>>> InitialContext and the lookup with JNDI name is done in the next call.
>>>> An alternative would be to define an order of security realm lookups.
>>>> Greetings,
>>>> Juergen
>>>> David Jencks wrote:
>>>>> This is the right place to ask this question.
>>>>> Geronimo lets you set up many security realms at once.  When you connect
>>>>> from a remote client to call ejbs, there's no easy way to predict which
>>>>> application's ejb or which ejb you want to call.  So you have to specify
>>>>> how you want to log in when you connect.
>>>>> We could allow specifying a default security realm for all of openejb
>>>>> if you don't specify a realm we use the default.
>>>>> thanks
>>>>> david jencks
>>>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>>>>> Hi All,
>>>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>>>> by a security realm(Database(SQL) realm). When I call this ejb from
>>>>>> standalone java client, it restricts me from accessing it without
>>>>>> authentication.
>>>>>> But when I provide this principal and credentials then also it restricts
>>>>>> me from calling this ejb.
>>>>>> When I additionally provide realmName then it enables me to call
>>>>>> ejb.
>>>>>> My question is why do we need to provide the security realm name
in the
>>>>>> client?
>>>>>> I am sorry if this is not the right place to ask such questions.
>>>>>> -- 
>>>>>> Regards,
>>>>>> Shailen (
>>>>>> +91-9216020360
>>>>>> Mohali, Chandigarh - 160062

View raw message