This section is under construction, please check back later.

Related Documents

Security - login module configuration
Security Annotations - EJB3 related annotation based security.

Server Side Security

There's a few things that should be noted about security from the server side perspective.

Security Propagation

Note, this is partially documented in the EJB 3 spec section 14.8.1.1.

  1. Once a remote bean has been instantiated, from within the container, it inherits the entire security context, and all roles will be inherited the same as the method where the bean is being looked up.
  2. Looking up a bean via an InitialContext, or via injection, will inherit the security context (user, roles, etc), thereby propagating the security through to any container bean in the chain of method calls.
  3. No properties are allowed for the InitialContext, and you MUST be calling the no args constructor only. There are documents elsewhere that describe using the OpenEJB initial context factories and such, with usernames and passwords, etc; it should be noted that this method of using the factories is OpenEJB specific, to facilitate non-standard clients not running in an EJB container, etc.

For example, here is an EJB that returns another bean, through a remote method call. In this case, the OtherBean instance, will have the same security as MyBean, including the principal (username), roles, etc.

import javax.ejb.EJB;
import javax.naming.InitialContext;

@EJB(name = "otherBean", beanInterface = IOtherBean.class)
public class MyBean
{
    public IOtherBean getOtherBean()
    {
        InitialContext context = new InitialContext();
        return (IOtherBean) context.lookup("java:comp/env/otherBean");
    }
}
  • No labels

3 Comments

  1. Trenton D. Adams

    Is it true that credentials are only propagated on the very first call to the back end, of a stateful session bean? i.e. subsequent calls are trusted for that session, and the credential is ditched, but the principal keeps propagating?

    Is it true the credentials are cached and propagated on every call of a stateless bean? If not, are they are passed on the first one, and some other method is used after authentication is established (such as a token)?

    Can I force authentication to go through the back end EJB server, propagate the trust forward, and not be done by the front end tomcat/openejb?

    1. Trenton D. Adams

      Oh, I was crazy. I had thought that my users.properties and groups.properties needed to be in the WEB-INF/classes, but I removed them, and it still worked, so obviously the authentication goes all the way back. That's the normal/expected method, right?

      EDIT: No, I do need users/realms configured, it wasn't using users.properties at all, cause that's for the back end, if I use it in local mode. I'm crazy, maybe I should go to bed now, it's 4:41am, (tongue)

      So yeah, my questions still stand I guess.

  2. Trenton D. Adams

    If I'm reading this right, Section 14.8.2.3 (point #2) of the EJB core specification says that server-only authentication is a requirement, but I can't find any documentation on how to get this working.

    Thanks for any help, as I had hoped to update this documentation, based on what the behaviour is.