All geek questions in one place

Concept of reusable login session in rmi ejb calls

This is not an easy question, because I am rethinking our architecture to ensure the security of our EJB 3.0 service with login and security.

We have an EJB3.0 application on JBoss 5.1, which offers various services to the SWT client for reading and writing data. To use the service, the client must be logged in with a valid user and password that is viewed by SpringSecurity on the LDAP server. SpringSecurity generates a session identifier that is passed back to the client for reuse on any subsequent service call.

client server | | |-> login(user/password)-------->| | | | <------- sessionId ------------| | | |-->serviceXy(sessionId,param1)->|

The situation seems clear. We store sessionId in our own context, which is the first parameter of each service method. There is an interceptor for each service method that reads sessionId from a given context object and checks if the session is valid. The client must first call the login service in order to get the context object populated by sessionId and reuse this context object in subsequent service calls.

 public class OurContext { private String sessionId; } @Stateless @Interceptors(SecurityInterceptor.class) public OurServiceImpl implements OurService { public void doSomething(OurContext context, String param1) { [...] } }

What I don't like about this solution is to use each service method with a context parameter. Is there a similar mechanism like an http session in rmi calls? I’m thinking about putting our context object in some session that is created on the client (?) Immediately after logging in and passed to the server every time the service is called, so that SecurityInterceptor can read sessionId from this "magic context". "

Something like that:

 OurContext ctx = service.login("user","password"); Magical(Jboss)Session.put("securContext", ctx); service.doSomething("just the string param");
+3
source share
3 answers

Since you are already using the application server, it seems that you should use the built-in EJB security mechanisms typically provided through JAAS. On line 4.x of jboss, if you have implemented your JAAS plug-in for jboss, you can access a β€œspecial” context map (similar to what you are describing) that is transmitted by remote requests (via the jboss remote calling system). I haven't used jboss after a while, so I'm not sure how this compares with 5.1, but I have to assume that it has similar capabilities. This assumes, of course, that you are ready to implement something specific jboss.

+2
source

There are some session mechanisms in EJB, but they all start at the beginning of the remote call and end when it ends. The old one shows the context of the transaction (Adam Bien wrote about this some time ago), and the newer one in the field of CDI sessions.

Contrary to popular belief, this area not only reflects the area of ​​the http session, but in the absence of an http session (for example, for remote calls) it represents a single call chain or message delivery (for mdbs).

With such a session, your remote SWT client should still pass sessionId to the remote service, but any local beans called from there can select it from this cdi session.

Another option is similar to what jtahlborn says: with your own login module, you can return the user principle, not the default. Your code may first request a normal principal, and then try to execute it.

The problem is that this material is container specific, and JBoss always forgets about it. This breaks down badly after each update, and users are forced to kick and scream in order to fix it in the next version (only to see how after that it will break again in the version). Without JBoss really supporting this, this is an endless battle.

Another option is to let the user log in as sessionId. The input module behind it can be a simple module that accepts everything and simply puts the principal in the security context with sessionId as the "name". This is a bit strange, but we have successfully used this to get any data that can be expressed as a string in a security context. Of course, you will need to allow your client to perform basic container authentication, which in turn wins using Spring security.

+1
source

We went for another approach, which is portable and does not depend on a specific application server. In addition, our security implementation frees us from the limitations of the EJB approach (which, incidentally, I thought was closed 2 decades ago ... but reappeared).

Top to bottom view:

There is a server that provides classes for working with the same data. The client provides data and calls specific methods.

Our approach is to put all the data (and therefore the connection between the client and server) in the "Business Object". Each BO extends a superclass. This superclass contains the session identifier. The login method provides and returns this identifier. Each client only needs to ensure that the identifier received in one BO is copied to the next one, which it sends to the server. Each method that can be remotely (or locally) called first receives a session object with an accepted identifier. The session object return method also checks for security restrictions (which are based on permissions and not on roles similar to the EKB method).

0
source

Source: https://habr.com/ru/post/1397667/

More articles:


All Articles