Author: Sherif F. Makary Level: Intermediate Technologies: EJB, Security Summary: Shows how to use Java EE Declarative Security to Control Access to EJB 3 Target Product: EAP Source: https://github.com/jboss-jdf/jboss-as-quickstart/
This example demonstrates the use of Java EE declarative security to control access to Servlets and EJBs in JBoss Enterprise Application Platform 6 or JBoss AS 7.
This quickstart takes the following steps to implement EJB security:
-
Define the security domain. This can be done either in the
securitysubsytem of thestandalone.xmlconfiguration file or in theWEB-INF/jboss-web.xmlconfiguration file. This quickstart uses theothersecurity domain which is provided by default in thestandalone.xmlfile:<security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> -
Add the
@SecurityDomain("other")security annotation to the EJB declaration to tell the EJB container to apply authorization to this EJB. -
Add the
@RolesAllowed({ "guest" })annotation to the EJB declaration to authorize access only to users withguestrole access rights. -
Add the
@RolesAllowed({ "guest" })annotation to the Servlet declaration to authorize access only to users withguestrole access rights. -
Add a
<login-config>security constraint to theWEB-INF/web.xmlfile to force the login prompt. -
Add an application user with
guestrole access rights to the EJB. This quickstart defines a userquickstartUserwith passwordquickstartPwd1!in theguestrole. Theguestrole matches the allowed user role defined in the@RolesAllowedannotation in the EJB. -
Add a second user that has no
guestrole access rights.
All you need to build this project is Java 6.0 (Java SDK 1.6) or better, Maven 3.0 or better.
The application this project produces is designed to be run on JBoss Enterprise Application Platform 6 or JBoss AS 7.
If you have not yet done so, you must Configure Maven before testing the quickstarts.
This quickstart uses a secured management interface and requires that you create an application user to access the running application. Instructions to set up an Application user can be found here: Add an Application User
After you add the default quickstartUser, use the same steps to add a second application user who is not in the guest role and therefore is not authorized to access the application.
Username: user1
Password: password1!
Roles: app-user
-
Open a command line and navigate to the root of the JBoss server directory.
-
The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh For Windows: JBOSS_HOME\bin\standalone.bat
NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.
-
Make sure you have started the JBoss Server as described above.
-
Open a command line and navigate to the root directory of this quickstart.
-
Type this command to build and deploy the archive:
mvn clean package jboss-as:deploy -
This will deploy
target/jboss-as-ejb-security.warto the running instance of the server.
The application will be running at the following URL http://localhost:8080/jboss-as-ejb-security/.
When you access the application, you are presented with a browser login challenge.
-
If you attempt to login with a user name and password combination that has not been added to the server, the login challenge will be redisplayed.
-
When you login successfully using
quickstartUser/quickstartPwd1!, the browser displays the following security info:Successfully called Secured EJB Principal : quickstartUser Remote User : quickstartUser Authentication Type : BASIC -
Now close and reopen the brower session and access the application using the
user1/password1!credentials. In this case, the Servlet, which only allows theguestrole, restricts the access and you get a security exception similar to the following:HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. -
Next, change the EJB (SecuredEJB.java) to a different role, for example,
@RolesAllowed({ "other-role" }). Do not modify theguestrole in the Servlet (SecuredEJBServlet.java). Build and redeploy the quickstart, then close and reopen the browser and login usingquickstartUser/quickstartPwd1!. This time the Servlet will allow theguestaccess, but the EJB, which only allows the roleother-role, will throw an EJBAccessException:HTTP Status 500 message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public java.lang.String org.jboss.as.quickstarts.ejb_security.SecuredEJB.getSecurityInfo() of bean: SecuredEJB is not allowed
-
Make sure you have started the JBoss Server as described above.
-
Open a command line and navigate to the root directory of this quickstart.
-
When you are finished testing, type this command to undeploy the archive:
mvn jboss-as:undeploy
You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see Use JBoss Developer Studio or Eclipse to Run the Quickstarts
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc