You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by jayess <js...@yahoo.ca> on 2008/10/25 00:11:44 UTC

Spring Security & securing EJBs in Geronimo

Hi. I'm doing a little investigation to see if we can use Spring Security for
the web tier and still have have the EJBs secured by the container (as I
understand Spring Security can't be used for EJBs - am I wrong?). The
customer wants to use Spring Security. And this is just investigative work
to find possible approaches.

End result is that I want to be able to secure the EJBs using annotations.

I have a EAR file deployed to Geronimo (Jetty). In the EAR, I have a simple
WAR file that is secured by Spring Security (i.e. all web resources are
protected properly). I've enabled authentication/authorization at this level
and it works fine. For the EJBs, I've added @RolesAllowed annotations to my
EJBs and I've enabled EJB security by adding an empty <security/> tag in the
geronimo-application.xml. Now my EJBS are secure (I get a "Unauthorized
Access by Principal Denied" when I try to access them). 

Now I need to tie the two securities together. I am thinking that I could
create a servlet filter that "hooks into" geronimo security as follows:

   :
   Subject subject = new Subject();
   subject.getPrincipals().add(...);
   ContextManager.setCurrentCallers(subject,subject)
   :

However I am having problems. When I try to access a secured EJB (after
authentication in Spring), I get the following error:

java.lang.NullPointerException
	at
org.apache.geronimo.security.ContextManager.getCurrentContext(ContextManager.java:164)
	at
org.apache.geronimo.openejb.GeronimoSecurityService.isCallerAuthorized(GeronimoSecurityService.java:101)
	at
org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:142)
	at
org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
	at
org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
	at
org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:321)
	at
org.apache.openejb.util.proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)


So my questions:
1. Is there a way to hook into Geronimo security? If so how do I create the
Subject properly so that Geronimo can use it?
2. Given that we want to use "Spring Security" for the web tier, but want
our EJBs secured ... is there a better approach? 

I'm new to security in general and any advice would be greatly welcomed.
Also, to reiterate, we have not decided to use Spring Security but need to
investigate if it's even doable - given the fact we are deploying to
Geronimo and do want our EJBs secured by annotations.

Thanks so much!!!!




-- 
View this message in context: http://www.nabble.com/Spring-Security---securing-EJBs-in-Geronimo-tp20158641s134p20158641.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.

Re: Spring Security & securing EJBs in Geronimo

Posted by David Jencks <da...@yahoo.com>.
On Oct 24, 2008, at 3:11 PM, jayess wrote:

>
> Hi. I'm doing a little investigation to see if we can use Spring  
> Security for
> the web tier and still have have the EJBs secured by the container  
> (as I
> understand Spring Security can't be used for EJBs - am I wrong?). The
> customer wants to use Spring Security. And this is just  
> investigative work
> to find possible approaches.
>
> End result is that I want to be able to secure the EJBs using  
> annotations.
>
> I have a EAR file deployed to Geronimo (Jetty). In the EAR, I have a  
> simple
> WAR file that is secured by Spring Security (i.e. all web resources  
> are
> protected properly). I've enabled authentication/authorization at  
> this level
> and it works fine. For the EJBs, I've added @RolesAllowed  
> annotations to my
> EJBs and I've enabled EJB security by adding an empty <security/>  
> tag in the
> geronimo-application.xml. Now my EJBS are secure (I get a  
> "Unauthorized
> Access by Principal Denied" when I try to access them).
>
> Now I need to tie the two securities together. I am thinking that I  
> could
> create a servlet filter that "hooks into" geronimo security as  
> follows:
>
>   :
>   Subject subject = new Subject();
>   subject.getPrincipals().add(...);
>   ContextManager.setCurrentCallers(subject,subject)

That's close to what should work....

First, if you can get the principals I imagine you can get the Subject  
out of Spring security and use it rather than constructing another one.

Next, for geronimo's JACC Implementation to work you have to register  
the Subject so we can pre-compute the AccessControlContext for the  
subject.

Finally, the ContextManager.setCurrentCallers(subject,subject) is  
correct.  So I think something like this ought to work:

Subject subject = extractSubjectFromTheDeathGripOfSpring();
ContextManager.registerSubject(subject);
ContextManager.setCurrentCallers(subject,subject);

If Spring successfully hides the subject but lets you see the  
principals then constructing a Subject as you do above ought to work  
too.

Hope this helps
david jencks

>
>   :
>
> However I am having problems. When I try to access a secured EJB  
> (after
> authentication in Spring), I get the following error:
>
> java.lang.NullPointerException
> 	at
> org 
> .apache 
> .geronimo 
> .security.ContextManager.getCurrentContext(ContextManager.java:164)
> 	at
> org 
> .apache 
> .geronimo 
> .openejb 
> .GeronimoSecurityService 
> .isCallerAuthorized(GeronimoSecurityService.java:101)
> 	at
> org 
> .apache 
> .openejb 
> .core.stateless.StatelessContainer.invoke(StatelessContainer.java:142)
> 	at
> org 
> .apache 
> .openejb 
> .core 
> .ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java: 
> 217)
> 	at
> org 
> .apache 
> .openejb 
> .core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
> 	at
> org 
> .apache 
> .openejb 
> .core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:321)
> 	at
> org 
> .apache 
> .openejb 
> .util 
> .proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)
>
>
> So my questions:
> 1. Is there a way to hook into Geronimo security? If so how do I  
> create the
> Subject properly so that Geronimo can use it?
> 2. Given that we want to use "Spring Security" for the web tier, but  
> want
> our EJBs secured ... is there a better approach?
>
> I'm new to security in general and any advice would be greatly  
> welcomed.
> Also, to reiterate, we have not decided to use Spring Security but  
> need to
> investigate if it's even doable - given the fact we are deploying to
> Geronimo and do want our EJBs secured by annotations.
>
> Thanks so much!!!!
>
>
>
>
> -- 
> View this message in context: http://www.nabble.com/Spring-Security---securing-EJBs-in-Geronimo-tp20158641s134p20158641.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>