I am currently studying how Java EE6 Security can protect our applications using GlassFish. I know how to create areas, roles and users. I managed to get a simple basic login with a servlet. "Normal users were not allowed to see the admin page, while the admin user was, so the test worked well.
Now, however, I want to go a little deeper into it.
The idea is that I host a web service using an EJB container. This web service does not know anything about this, so I decided that the caller should send the credentials (username and password) along with the call. The web service can then authenticate the user and then, based on this, allow or deny access to the methods.
The fact is that I do not know how to check 2 lines (username and password) and configure the role for callers in the web service.
I know this API should help me: http://docs.oracle.com/javaee/1.4/api/javax/ejb/EJBContext.html
But this does not give me a clear understanding of how to do this. All that tells me is that I can check certain properties when the user is already in the role, but since this is a web service, there is no role yet ... I have to create it first, but how?
In addition, I know that GlassFish supports login through LDAP, and this is the end goal I'm working on. Perhaps any ideas on how to do this correctly? What would be the best way to get closer to all this?
Thanks in advance,
Reens
==================================================== =============================
UPDATE / EDIT:
Well, since I could only comment and could not answer, I decided that I would simply edit my original post. Here we go:
The idea is that I should research Glassfish EE6 Security for web services. Now ... I read a lot about JAAS (Java Authorization Authorization Service). It works with annotations in a webservice bean as follows:
@RolesAllowed("ADMIN") public String doAdminStuff(){
I tried something with a servlet and it worked perfectly! I have basic authentication that allowed the user to log in before accessing the bean web service. The web.xml servlet took care of the configuration, as in the description of which scan areas and which users were there, etc.
Now I need to test it without a servlet, because the idea is that the web service can work without it knowing its customers. Thus, the client must specify the username and password along with his call. I used an interceptor to log in, and then checked if the user is allowed to use the method using the @RolesALlowed annotation.
This is the code: webservice bean:
@LocalBean @WebService @Stateless public class EE6SecurityBean implements EE6SecurityBeanInterface { @Interceptors(UserValidationInterceptor.class) @RolesAllowed("ADMIN") public String doAdminStuff(String user, String password){ return "it works"; } }
Then the interceptor:
@Interceptor public class UserValidationInterceptor { private ProgrammaticLoginInterface programmaticLogin = new ProgrammaticLogin(); @AroundInvoke public Object intercept(InvocationContext ctx) throws Exception {
Now this works great if I comment on @RolesAllowed ("ADMIN"), except that every user configured in the "Developingjava" area can use this method. But if I use @RolesAllowed ("ADMIN"), I get the following error:
INFO: JACC policy provider: permission check error, context (EE6SecurityEAR / EE6SecurityEJB_jar) - permission ((javax.security.jacc.EJBMethodPermission EE6SecurityBean testWaarde, ServiceEndpoint, java.lang.String, java.lang.String)
I configured my sun-ejb-jar.xml like this (the servlet needs an xml configuration, but I really doubt that the bean even uses it ..):
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd"> <sun-ejb-jar> <security-role-mapping> <role-name>ADMIN</role-name> <group-name>Admin</group-name> <principal-name>Admin</principal-name> </security-role-mapping> <enterprise-beans> <unique-id>1</unique-id> <ejb> <ejb-name>EE6SecurityBean</ejb-name> <jndi-name></jndi-name> <pass-by-reference>false</pass-by-reference> <ior-security-config> <transport-config> <integrity>supported</integrity> <confidentiality>supported</confidentiality> <establish-trust-in-target>supported</establish-trust-in-target> <establish-trust-in-client>supported</establish-trust-in-client> </transport-config> <as-context> <auth-method>username_password</auth-method> <realm>Developingjava</realm> <required>true</required> </as-context> <sas-context> <caller-propagation>supported</caller-propagation> </sas-context> </ior-security-config> <is-read-only-bean>false</is-read-only-bean> <refresh-period-in-seconds>-1</refresh-period-in-seconds> <gen-classes/> </ejb> </enterprise-beans> </sun-ejb-jar>
I really need help with this. This may not be the right way to deal with security for web services, but my company wants me to do research on the new EE6 security technology ...
Any tips?
Thank you in advance:)