You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Shailen <kh...@gmail.com> on 2011/02/01 11:27:41 UTC
why we need to provide security realm name to a standalone ejb client?
Hi All,
I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
by a security realm(Database(SQL) realm). When I call this ejb from a
standalone java client, it restricts me from accessing it without
authentication.
But when I provide this principal and credentials then also it restricts
me from calling this ejb.
When I additionally provide realmName then it enables me to call this ejb.
My question is why do we need to provide the security realm name in the
client?
I am sorry if this is not the right place to ask such questions.
--
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
Re: why we need to provide security realm name to a standalone ejb client?
Posted by David Jencks <da...@yahoo.com>.
On Feb 1, 2011, at 8:26 PM, Shailen wrote:
> Hi David,
>
> Thanks for that information. 2 things here:
> 1. Where is that property in security realm that makes it default?
There is no way to do that currently. I was suggesting that it is a possible future feature. Patches are welcome.
> 2. I have also exported that EJB as a webservice now and when I am trying to consume this webservice from soapui, its giving me exception as
>
> "javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied: Unauthorized Access by Principal Denied"
>
> How do I call that webservice?
ejb web service security is configured similarly to web app security, but in the geronimo plan for the ejb. In this case you will be able to specify the security realm for the web service login.
I don't see any instructions in the documentation so I suggest looking at the xml schema for the openejb-jar.xml (not ejb-jar.xml).
hope this helps
david jencks
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
>
> On Wednesday 02 February 2011 01:48 AM, David Jencks wrote:
>>
>> This is the right place to ask this question.
>>
>> Geronimo lets you set up many security realms at once. When you connect from a remote client to call ejbs, there's no easy way to predict which application's ejb or which ejb you want to call. So you have to specify how you want to log in when you connect.
>>
>> We could allow specifying a default security realm for all of openejb so if you don't specify a realm we use the default.
>>
>> thanks
>> david jencks
>>
>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>
>>> Hi All,
>>>
>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured by a security realm(Database(SQL) realm). When I call this ejb from a standalone java client, it restricts me from accessing it without authentication.
>>>
>>> But when I provide this principal and credentials then also it restricts me from calling this ejb.
>>> When I additionally provide realmName then it enables me to call this ejb.
>>>
>>> My question is why do we need to provide the security realm name in the client?
>>>
>>> I am sorry if this is not the right place to ask such questions.
>>> --
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by Shailen <kh...@gmail.com>.
Also I would like the EJB to know the user who is calling it.
I think EJBContext will fulfill this, but I am not able to get it.
I used
@Resource(type = EJBContext.class)
private EJBContext context;
But deployment fails as it is unable to inject the desired object.
How to pass the desired object from deployment descriptor?
Any help much appreciated here.
Thanks.
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
On Wednesday 02 February 2011 09:56 AM, Shailen wrote:
> Hi David,
>
> Thanks for that information. 2 things here:
> 1. Where is that property in security realm that makes it default?
> 2. I have also exported that EJB as a webservice now and when I am
> trying to consume this webservice from soapui, its giving me exception as
>
> "javax.ejb.EJBAccessException: Unauthorized Access by Principal
> Denied: Unauthorized Access by Principal Denied"
>
> How do I call that webservice?
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
>
> On Wednesday 02 February 2011 01:48 AM, David Jencks wrote:
>> This is the right place to ask this question.
>>
>> Geronimo lets you set up many security realms at once. When you
>> connect from a remote client to call ejbs, there's no easy way to
>> predict which application's ejb or which ejb you want to call. So
>> you have to specify how you want to log in when you connect.
>>
>> We could allow specifying a default security realm for all of openejb
>> so if you don't specify a realm we use the default.
>>
>> thanks
>> david jencks
>>
>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>
>>> Hi All,
>>>
>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is
>>> secured by a security realm(Database(SQL) realm). When I call this
>>> ejb from a standalone java client, it restricts me from accessing it
>>> without authentication.
>>>
>>> But when I provide this principal and credentials then also it
>>> restricts me from calling this ejb.
>>> When I additionally provide realmName then it enables me to call
>>> this ejb.
>>>
>>> My question is why do we need to provide the security realm name in
>>> the client?
>>>
>>> I am sorry if this is not the right place to ask such questions.
>>> --
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by Shailen <kh...@gmail.com>.
Hi David,
Thanks for that information. 2 things here:
1. Where is that property in security realm that makes it default?
2. I have also exported that EJB as a webservice now and when I am
trying to consume this webservice from soapui, its giving me exception as
"javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied:
Unauthorized Access by Principal Denied"
How do I call that webservice?
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
On Wednesday 02 February 2011 01:48 AM, David Jencks wrote:
> This is the right place to ask this question.
>
> Geronimo lets you set up many security realms at once. When you
> connect from a remote client to call ejbs, there's no easy way to
> predict which application's ejb or which ejb you want to call. So you
> have to specify how you want to log in when you connect.
>
> We could allow specifying a default security realm for all of openejb
> so if you don't specify a realm we use the default.
>
> thanks
> david jencks
>
> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>
>> Hi All,
>>
>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is
>> secured by a security realm(Database(SQL) realm). When I call this
>> ejb from a standalone java client, it restricts me from accessing it
>> without authentication.
>>
>> But when I provide this principal and credentials then also it
>> restricts me from calling this ejb.
>> When I additionally provide realmName then it enables me to call this
>> ejb.
>>
>> My question is why do we need to provide the security realm name in
>> the client?
>>
>> I am sorry if this is not the right place to ask such questions.
>> --
>>
>> Regards,
>> Shailen (khichi.shailendra@gmail.com)
>> +91-9216020360
>> Mohali, Chandigarh - 160062
>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by Shailen <kh...@gmail.com>.
Again, geronimo is a system once I have authenticated myself to the
system, then I am allowed to access application. But each
component(example EJBs) will define its own authorization. If I have
authorized myself to the component then I can access components. So the
security is fine.
Now to call an EJB from a standalone client without passing the
security-realm is the question.
First look says what David is suggesting seems reasonable.
May need more brain storming here.
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
On Thursday 03 February 2011 12:02 PM, Shailen wrote:
> ohh.. So jndi tree gets created when we create InitialContext.
>
> I found something which you might be aware already.
> I have created a test security-realm. Now if I try to access my ejb
> with this security-realm it is allowing me to access the object. But I
> dont want this. My EJB is not secured this way.right ?
> I mean this is fishy as I dont want my EJB to be accessed by anyone
> else using another security realm.
> Actually this is hack in security.
> May be we need to think more on other possible ways to escape from
> this hack.
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
>
> On Wednesday 02 February 2011 11:15 PM, David Jencks wrote:
>> The current ejb security is set up so that you need to have some
>> credentials in some security realm in order to get the jndi tree.
>>
>> I think you are asking for a set up so that you can get the jndi tree
>> without any credentials but when you try to do a lookup you need to
>> supply credentials appropriate for the object you are looking up.
>>
>> At the moment I believe you can arrange to bind ejbs at any name you
>> want. In particular you can bind ejbs from different apps in the
>> same subcontext.
>>
>> What do you want to have happen when you try to list this subcontext,
>> but you only have permission to access some of the contents?
>>
>> thanks
>> david jencks
>>
>> On Feb 2, 2011, at 3:41 AM, Shailen wrote:
>>
>>> Yes Juergen, I second you.
>>> I have fixed my problem and I am happy to see geronimo has
>>> implemented what you have said for webservices. see below:
>>>
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:web-service-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> <ejb:realm-name>sample-realm</ejb:realm-name>
>>> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>>> <ejb:auth-method>BASIC</ejb:auth-method>
>>> </ejb:web-service-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>>
>>> This is the code in openejb-jar.xml. Here we are explicitly
>>> defining to use sample-realm for webservice exposed by SampleImp
>>> EJB. I am able to call the webservice using the principal credentials.
>>>
>>> I am still not very sure why geronimo can't geronimo has
>>> <ejb:ejb-security> like follows:
>>>
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:ejb-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> </ejb:ejb-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>>
>>> Can someone please put more light on it?
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>>
>>> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>>>> One could rather argue that a client should not know about an ejb's security
>>>> configuration. This should be only known in the ejb configuration, and
>>>> nowhere else, definitivly not on the client. The ejb deployer should be able
>>>> to switch from one security realm to another, without the client knowing.
>>>>> there's no easy way to predict which application's ejb or which ejb you
>>>>> want to call
>>>> I understand this is because security lookup is done during creation of the
>>>> InitialContext and the lookup with JNDI name is done in the next call.
>>>>
>>>> An alternative would be to define an order of security realm lookups.
>>>>
>>>> Greetings,
>>>> Juergen
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> David Jencks wrote:
>>>>> This is the right place to ask this question.
>>>>>
>>>>> Geronimo lets you set up many security realms at once. When you connect
>>>>> from a remote client to call ejbs, there's no easy way to predict which
>>>>> application's ejb or which ejb you want to call. So you have to specify
>>>>> how you want to log in when you connect.
>>>>>
>>>>> We could allow specifying a default security realm for all of openejb so
>>>>> if you don't specify a realm we use the default.
>>>>>
>>>>> thanks
>>>>> david jencks
>>>>>
>>>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>>>>> standalone java client, it restricts me from accessing it without
>>>>>> authentication.
>>>>>>
>>>>>> But when I provide this principal and credentials then also it restricts
>>>>>> me from calling this ejb.
>>>>>> When I additionally provide realmName then it enables me to call this
>>>>>> ejb.
>>>>>>
>>>>>> My question is why do we need to provide the security realm name in the
>>>>>> client?
>>>>>>
>>>>>> I am sorry if this is not the right place to ask such questions.
>>>>>> --
>>>>>>
>>>>>> Regards,
>>>>>> Shailen (khichi.shailendra@gmail.com)
>>>>>> +91-9216020360
>>>>>> Mohali, Chandigarh - 160062
>>
Re: why we need to provide security realm name to a standalone ejb client?
Posted by David Jencks <da...@yahoo.com>.
I don't understand what you think is a hack.
You've set up a security realm, you login, and the login modules for the security realm has added one or more principals the subject.
You've mapped at least one of these principals to the appropriate application role that can access your ejb method.
If you want you can specify which security realm and which login module generated this principal. (for an example see the last paragraph on https://cwiki.apache.org/GMOxDOC22/configuring-run-as-and-default-subjects-and-principal-role-mapping.html)
What's insecure here?
thanks
david jencks
On Feb 2, 2011, at 10:32 PM, Shailen wrote:
> ohh.. So jndi tree gets created when we create InitialContext.
>
> I found something which you might be aware already.
> I have created a test security-realm. Now if I try to access my ejb with this security-realm it is allowing me to access the object. But I dont want this. My EJB is not secured this way.right ?
> I mean this is fishy as I dont want my EJB to be accessed by anyone else using another security realm.
> Actually this is hack in security.
> May be we need to think more on other possible ways to escape from this hack.
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
>
> On Wednesday 02 February 2011 11:15 PM, David Jencks wrote:
>>
>> The current ejb security is set up so that you need to have some credentials in some security realm in order to get the jndi tree.
>>
>> I think you are asking for a set up so that you can get the jndi tree without any credentials but when you try to do a lookup you need to supply credentials appropriate for the object you are looking up.
>>
>> At the moment I believe you can arrange to bind ejbs at any name you want. In particular you can bind ejbs from different apps in the same subcontext.
>>
>> What do you want to have happen when you try to list this subcontext, but you only have permission to access some of the contents?
>>
>> thanks
>> david jencks
>>
>> On Feb 2, 2011, at 3:41 AM, Shailen wrote:
>>
>>> Yes Juergen, I second you.
>>> I have fixed my problem and I am happy to see geronimo has implemented what you have said for webservices. see below:
>>>
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:web-service-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> <ejb:realm-name>sample-realm</ejb:realm-name>
>>> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>>> <ejb:auth-method>BASIC</ejb:auth-method>
>>> </ejb:web-service-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>>
>>> This is the code in openejb-jar.xml. Here we are explicitly defining to use sample-realm for webservice exposed by SampleImp EJB. I am able to call the webservice using the principal credentials.
>>>
>>> I am still not very sure why geronimo can't geronimo has <ejb:ejb-security> like follows:
>>>
>>> <ejb:enterprise-beans>
>>> <ejb:session>
>>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>>> <ejb:ejb-security>
>>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>>> </ejb:ejb-security>
>>> </ejb:session>
>>> </ejb:enterprise-beans>
>>>
>>> Can someone please put more light on it?
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>>
>>> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>>>>
>>>> One could rather argue that a client should not know about an ejb's security
>>>> configuration. This should be only known in the ejb configuration, and
>>>> nowhere else, definitivly not on the client. The ejb deployer should be able
>>>> to switch from one security realm to another, without the client knowing.
>>>>> there's no easy way to predict which application's ejb or which ejb you
>>>>> want to call
>>>> I understand this is because security lookup is done during creation of the
>>>> InitialContext and the lookup with JNDI name is done in the next call.
>>>>
>>>> An alternative would be to define an order of security realm lookups.
>>>>
>>>> Greetings,
>>>> Juergen
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> David Jencks wrote:
>>>>> This is the right place to ask this question.
>>>>>
>>>>> Geronimo lets you set up many security realms at once. When you connect
>>>>> from a remote client to call ejbs, there's no easy way to predict which
>>>>> application's ejb or which ejb you want to call. So you have to specify
>>>>> how you want to log in when you connect.
>>>>>
>>>>> We could allow specifying a default security realm for all of openejb so
>>>>> if you don't specify a realm we use the default.
>>>>>
>>>>> thanks
>>>>> david jencks
>>>>>
>>>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>>>>> standalone java client, it restricts me from accessing it without
>>>>>> authentication.
>>>>>>
>>>>>> But when I provide this principal and credentials then also it restricts
>>>>>> me from calling this ejb.
>>>>>> When I additionally provide realmName then it enables me to call this
>>>>>> ejb.
>>>>>>
>>>>>> My question is why do we need to provide the security realm name in the
>>>>>> client?
>>>>>>
>>>>>> I am sorry if this is not the right place to ask such questions.
>>>>>> --
>>>>>>
>>>>>> Regards,
>>>>>> Shailen (khichi.shailendra@gmail.com)
>>>>>> +91-9216020360
>>>>>> Mohali, Chandigarh - 160062
>>>>>
>>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by Shailen <kh...@gmail.com>.
ohh.. So jndi tree gets created when we create InitialContext.
I found something which you might be aware already.
I have created a test security-realm. Now if I try to access my ejb with
this security-realm it is allowing me to access the object. But I dont
want this. My EJB is not secured this way.right ?
I mean this is fishy as I dont want my EJB to be accessed by anyone else
using another security realm.
Actually this is hack in security.
May be we need to think more on other possible ways to escape from this
hack.
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
On Wednesday 02 February 2011 11:15 PM, David Jencks wrote:
> The current ejb security is set up so that you need to have some
> credentials in some security realm in order to get the jndi tree.
>
> I think you are asking for a set up so that you can get the jndi tree
> without any credentials but when you try to do a lookup you need to
> supply credentials appropriate for the object you are looking up.
>
> At the moment I believe you can arrange to bind ejbs at any name you
> want. In particular you can bind ejbs from different apps in the same
> subcontext.
>
> What do you want to have happen when you try to list this subcontext,
> but you only have permission to access some of the contents?
>
> thanks
> david jencks
>
> On Feb 2, 2011, at 3:41 AM, Shailen wrote:
>
>> Yes Juergen, I second you.
>> I have fixed my problem and I am happy to see geronimo has
>> implemented what you have said for webservices. see below:
>>
>> <ejb:enterprise-beans>
>> <ejb:session>
>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>> <ejb:web-service-security>
>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>> <ejb:realm-name>sample-realm</ejb:realm-name>
>> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>> <ejb:auth-method>BASIC</ejb:auth-method>
>> </ejb:web-service-security>
>> </ejb:session>
>> </ejb:enterprise-beans>
>>
>> This is the code in openejb-jar.xml. Here we are explicitly defining
>> to use sample-realm for webservice exposed by SampleImp EJB. I am
>> able to call the webservice using the principal credentials.
>>
>> I am still not very sure why geronimo can't geronimo has
>> <ejb:ejb-security> like follows:
>>
>> <ejb:enterprise-beans>
>> <ejb:session>
>> <ejb:ejb-name>SampleImp</ejb:ejb-name>
>> <ejb:ejb-security>
>> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
>> </ejb:ejb-security>
>> </ejb:session>
>> </ejb:enterprise-beans>
>>
>> Can someone please put more light on it?
>>
>> Regards,
>> Shailen (khichi.shailendra@gmail.com)
>> +91-9216020360
>> Mohali, Chandigarh - 160062
>>
>> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>>> One could rather argue that a client should not know about an ejb's security
>>> configuration. This should be only known in the ejb configuration, and
>>> nowhere else, definitivly not on the client. The ejb deployer should be able
>>> to switch from one security realm to another, without the client knowing.
>>>> there's no easy way to predict which application's ejb or which ejb you
>>>> want to call
>>> I understand this is because security lookup is done during creation of the
>>> InitialContext and the lookup with JNDI name is done in the next call.
>>>
>>> An alternative would be to define an order of security realm lookups.
>>>
>>> Greetings,
>>> Juergen
>>>
>>>
>>>
>>>
>>>
>>> David Jencks wrote:
>>>> This is the right place to ask this question.
>>>>
>>>> Geronimo lets you set up many security realms at once. When you connect
>>>> from a remote client to call ejbs, there's no easy way to predict which
>>>> application's ejb or which ejb you want to call. So you have to specify
>>>> how you want to log in when you connect.
>>>>
>>>> We could allow specifying a default security realm for all of openejb so
>>>> if you don't specify a realm we use the default.
>>>>
>>>> thanks
>>>> david jencks
>>>>
>>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>>>> standalone java client, it restricts me from accessing it without
>>>>> authentication.
>>>>>
>>>>> But when I provide this principal and credentials then also it restricts
>>>>> me from calling this ejb.
>>>>> When I additionally provide realmName then it enables me to call this
>>>>> ejb.
>>>>>
>>>>> My question is why do we need to provide the security realm name in the
>>>>> client?
>>>>>
>>>>> I am sorry if this is not the right place to ask such questions.
>>>>> --
>>>>>
>>>>> Regards,
>>>>> Shailen (khichi.shailendra@gmail.com)
>>>>> +91-9216020360
>>>>> Mohali, Chandigarh - 160062
>
Re: why we need to provide security realm name to a standalone ejb client?
Posted by David Jencks <da...@yahoo.com>.
The current ejb security is set up so that you need to have some credentials in some security realm in order to get the jndi tree.
I think you are asking for a set up so that you can get the jndi tree without any credentials but when you try to do a lookup you need to supply credentials appropriate for the object you are looking up.
At the moment I believe you can arrange to bind ejbs at any name you want. In particular you can bind ejbs from different apps in the same subcontext.
What do you want to have happen when you try to list this subcontext, but you only have permission to access some of the contents?
thanks
david jencks
On Feb 2, 2011, at 3:41 AM, Shailen wrote:
> Yes Juergen, I second you.
> I have fixed my problem and I am happy to see geronimo has implemented what you have said for webservices. see below:
>
> <ejb:enterprise-beans>
> <ejb:session>
> <ejb:ejb-name>SampleImp</ejb:ejb-name>
> <ejb:web-service-security>
> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
> <ejb:realm-name>sample-realm</ejb:realm-name>
> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> <ejb:auth-method>BASIC</ejb:auth-method>
> </ejb:web-service-security>
> </ejb:session>
> </ejb:enterprise-beans>
>
> This is the code in openejb-jar.xml. Here we are explicitly defining to use sample-realm for webservice exposed by SampleImp EJB. I am able to call the webservice using the principal credentials.
>
> I am still not very sure why geronimo can't geronimo has <ejb:ejb-security> like follows:
>
> <ejb:enterprise-beans>
> <ejb:session>
> <ejb:ejb-name>SampleImp</ejb:ejb-name>
> <ejb:ejb-security>
> <ejb:security-realm-name>sample-realm</ejb:security-realm-name>
> </ejb:ejb-security>
> </ejb:session>
> </ejb:enterprise-beans>
>
> Can someone please put more light on it?
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062
>
> On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
>>
>> One could rather argue that a client should not know about an ejb's security
>> configuration. This should be only known in the ejb configuration, and
>> nowhere else, definitivly not on the client. The ejb deployer should be able
>> to switch from one security realm to another, without the client knowing.
>>> there's no easy way to predict which application's ejb or which ejb you
>>> want to call
>> I understand this is because security lookup is done during creation of the
>> InitialContext and the lookup with JNDI name is done in the next call.
>>
>> An alternative would be to define an order of security realm lookups.
>>
>> Greetings,
>> Juergen
>>
>>
>>
>>
>>
>> David Jencks wrote:
>>> This is the right place to ask this question.
>>>
>>> Geronimo lets you set up many security realms at once. When you connect
>>> from a remote client to call ejbs, there's no easy way to predict which
>>> application's ejb or which ejb you want to call. So you have to specify
>>> how you want to log in when you connect.
>>>
>>> We could allow specifying a default security realm for all of openejb so
>>> if you don't specify a realm we use the default.
>>>
>>> thanks
>>> david jencks
>>>
>>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>>
>>>> Hi All,
>>>>
>>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>>> standalone java client, it restricts me from accessing it without
>>>> authentication.
>>>>
>>>> But when I provide this principal and credentials then also it restricts
>>>> me from calling this ejb.
>>>> When I additionally provide realmName then it enables me to call this
>>>> ejb.
>>>>
>>>> My question is why do we need to provide the security realm name in the
>>>> client?
>>>>
>>>> I am sorry if this is not the right place to ask such questions.
>>>> --
>>>>
>>>> Regards,
>>>> Shailen (khichi.shailendra@gmail.com)
>>>> +91-9216020360
>>>> Mohali, Chandigarh - 160062
>>>
>>>
>>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by Shailen <kh...@gmail.com>.
Yes Juergen, I second you.
I have fixed my problem and I am happy to see geronimo has implemented
what you have said for webservices. see below:
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>SampleImp</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>sample-realm</ejb:security-realm-name>
<ejb:realm-name>sample-realm</ejb:realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>
This is the code in openejb-jar.xml. Here we are explicitly defining to
use sample-realm for webservice exposed by SampleImp EJB. I am able to
call the webservice using the principal credentials.
I am still not very sure why geronimo can't geronimo has
<ejb:ejb-security> like follows:
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>SampleImp</ejb:ejb-name>
<ejb:ejb-security>
<ejb:security-realm-name>sample-realm</ejb:security-realm-name>
</ejb:ejb-security>
</ejb:session>
</ejb:enterprise-beans>
Can someone please put more light on it?
Regards,
Shailen (khichi.shailendra@gmail.com)
+91-9216020360
Mohali, Chandigarh - 160062
On Wednesday 02 February 2011 01:26 PM, weberjn wrote:
> One could rather argue that a client should not know about an ejb's security
> configuration. This should be only known in the ejb configuration, and
> nowhere else, definitivly not on the client. The ejb deployer should be able
> to switch from one security realm to another, without the client knowing.
>> there's no easy way to predict which application's ejb or which ejb you
>> want to call
> I understand this is because security lookup is done during creation of the
> InitialContext and the lookup with JNDI name is done in the next call.
>
> An alternative would be to define an order of security realm lookups.
>
> Greetings,
> Juergen
>
>
>
>
>
> David Jencks wrote:
>> This is the right place to ask this question.
>>
>> Geronimo lets you set up many security realms at once. When you connect
>> from a remote client to call ejbs, there's no easy way to predict which
>> application's ejb or which ejb you want to call. So you have to specify
>> how you want to log in when you connect.
>>
>> We could allow specifying a default security realm for all of openejb so
>> if you don't specify a realm we use the default.
>>
>> thanks
>> david jencks
>>
>> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>>
>>> Hi All,
>>>
>>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>>> by a security realm(Database(SQL) realm). When I call this ejb from a
>>> standalone java client, it restricts me from accessing it without
>>> authentication.
>>>
>>> But when I provide this principal and credentials then also it restricts
>>> me from calling this ejb.
>>> When I additionally provide realmName then it enables me to call this
>>> ejb.
>>>
>>> My question is why do we need to provide the security realm name in the
>>> client?
>>>
>>> I am sorry if this is not the right place to ask such questions.
>>> --
>>>
>>> Regards,
>>> Shailen (khichi.shailendra@gmail.com)
>>> +91-9216020360
>>> Mohali, Chandigarh - 160062
>>
>>
Re: why we need to provide security realm name to a standalone ejb
client?
Posted by weberjn <we...@gmail.com>.
One could rather argue that a client should not know about an ejb's security
configuration. This should be only known in the ejb configuration, and
nowhere else, definitivly not on the client. The ejb deployer should be able
to switch from one security realm to another, without the client knowing.
> there's no easy way to predict which application's ejb or which ejb you
> want to call
I understand this is because security lookup is done during creation of the
InitialContext and the lookup with JNDI name is done in the next call.
An alternative would be to define an order of security realm lookups.
Greetings,
Juergen
David Jencks wrote:
>
> This is the right place to ask this question.
>
> Geronimo lets you set up many security realms at once. When you connect
> from a remote client to call ejbs, there's no easy way to predict which
> application's ejb or which ejb you want to call. So you have to specify
> how you want to log in when you connect.
>
> We could allow specifying a default security realm for all of openejb so
> if you don't specify a realm we use the default.
>
> thanks
> david jencks
>
> On Feb 1, 2011, at 2:27 AM, Shailen wrote:
>
>> Hi All,
>>
>> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured
>> by a security realm(Database(SQL) realm). When I call this ejb from a
>> standalone java client, it restricts me from accessing it without
>> authentication.
>>
>> But when I provide this principal and credentials then also it restricts
>> me from calling this ejb.
>> When I additionally provide realmName then it enables me to call this
>> ejb.
>>
>> My question is why do we need to provide the security realm name in the
>> client?
>>
>> I am sorry if this is not the right place to ask such questions.
>> --
>>
>> Regards,
>> Shailen (khichi.shailendra@gmail.com)
>> +91-9216020360
>> Mohali, Chandigarh - 160062
>
>
>
--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/why-we-need-to-provide-security-realm-name-to-a-standalone-ejb-client-tp2396336p2403732.html
Sent from the Users mailing list archive at Nabble.com.
Re: why we need to provide security realm name to a standalone ejb client?
Posted by David Jencks <da...@yahoo.com>.
This is the right place to ask this question.
Geronimo lets you set up many security realms at once. When you connect from a remote client to call ejbs, there's no easy way to predict which application's ejb or which ejb you want to call. So you have to specify how you want to log in when you connect.
We could allow specifying a default security realm for all of openejb so if you don't specify a realm we use the default.
thanks
david jencks
On Feb 1, 2011, at 2:27 AM, Shailen wrote:
> Hi All,
>
> I have a very simple ejb deployed on geronimo2.2.1. This ejb is secured by a security realm(Database(SQL) realm). When I call this ejb from a standalone java client, it restricts me from accessing it without authentication.
>
> But when I provide this principal and credentials then also it restricts me from calling this ejb.
> When I additionally provide realmName then it enables me to call this ejb.
>
> My question is why do we need to provide the security realm name in the client?
>
> I am sorry if this is not the right place to ask such questions.
> --
>
> Regards,
> Shailen (khichi.shailendra@gmail.com)
> +91-9216020360
> Mohali, Chandigarh - 160062