geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: why we need to provide security realm name to a standalone ejb client?
Date Wed, 02 Feb 2011 17:45:47 GMT
The current ejb security is set up so that you need to have some credentials in some security
realm in order to get the jndi tree.

I think you are asking for a set up so that you can get the jndi tree without any credentials
but when you try to do a lookup you need to supply credentials appropriate for the object
you are looking up.

At the moment I believe you can arrange to bind ejbs at any name you want.  In particular
you can bind ejbs from different apps in the same subcontext.

What do you want to have happen when you try to list this subcontext, but you only have permission
to access some of  the contents?

thanks
david jencks

On Feb 2, 2011, at 3:41 AM, Shailen wrote:

> Yes Juergen, I second you.
> I have fixed my problem and I am happy to see geronimo has implemented what you have
said for webservices. see below:
> 
>     <ejb:enterprise-beans>
>         <ejb:session>
>             <ejb:ejb-name>SampleImp</ejb:ejb-name>
>             <ejb:web-service-security>
>                   <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>                   <ejb:realm-name>sample-realm</ejb:realm-name>
>                   <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>                   <ejb:auth-method>BASIC</ejb:auth-method>
>               </ejb:web-service-security>
>         </ejb:session>
>     </ejb:enterprise-beans>
> 
> This is the code in openejb-jar.xml.  Here we are explicitly defining to use sample-realm
for webservice exposed by  SampleImp EJB. I am able to call the webservice using the principal
credentials.
> 
> I am still not very sure why geronimo can't geronimo has <ejb:ejb-security> like
follows:
> 
>     <ejb:enterprise-beans>
>         <ejb:session>
>             <ejb:ejb-name>SampleImp</ejb:ejb-name>
>             <ejb:ejb-security>
>                   <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>               </ejb:ejb-security>
>         </ejb:session>
>     </ejb:enterprise-beans>
> 
> Can someone please put more light on it?
> 
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
> 
> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>> 
>> One could rather argue that a client should not know about an ejb's security
>> configuration. This should be only known in the ejb configuration, and
>> nowhere else, definitivly not on the client. The ejb deployer should be able
>> to switch from one security realm to another, without the client knowing.
>>> there's no easy way to predict which application's ejb or which ejb you
>>> want to call
>> I understand this is because security lookup is done during creation of the
>> InitialContext and the lookup with JNDI name is done in the next call.
>> 
>> An alternative would be to define an order of security realm lookups.
>> 
>> Greetings,
>> Juergen
>> 
>> 
>> 
>> 
>> 
>> David Jencks wrote:
>>> This is the right place to ask this question.
>>> 
>>> Geronimo lets you set up many security realms at once.  When you connect
>>> from a remote client to call ejbs, there's no easy way to predict which
>>> application's ejb or which ejb you want to call.  So you have to specify
>>> how you want to log in when you connect.
>>> 
>>> We could allow specifying a default security realm for all of openejb so
>>> if you don't specify a realm we use the default.
>>> 
>>> thanks
>>> david jencks
>>> 
>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>> 
>>>> Hi All,
>>>> 
>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>>> standalone java client, it restricts me from accessing it without
>>>> authentication.
>>>> 
>>>> But when I provide this principal and credentials then also it restricts
>>>> me from calling this ejb.
>>>> When I additionally provide realmName then it enables me to call this
>>>> ejb.
>>>> 
>>>> My question is why do we need to provide the security realm name in the
>>>> client?
>>>> 
>>>> I am sorry if this is not the right place to ask such questions.
>>>> -- 
>>>> 
>>>> Regards,
>>>> Shailen (khichi.shailendra@gmail.com)
>>>> +91-9216020360
>>>> Mohali, Chandigarh - 160062
>>> 
>>> 
>> 


Mime
View raw message