HomeSupportForumsContainer/Framework IntegrationJBoss

Simple web to EJB3 authentication

Sat, 04/12/2008 - 6:25am — geoffcallender

Prior to JSecurity, I have an existing EJB3 session that provides simple authentication, returning a User object:

public interface ISecurityFinderSvcRemote {
User authenticateUser(String loginId, String password) throws MyAuthenticationException;
// ... and more methods here ...
}

It's currently accessed from a Tapestry login page like this:

User user = getSecurityFinderService().authenticateUser(_loginId, _password);

with the usual try/catch stuff around it.

My question is how to implement JSecurity in this situation? A key requirement is to use the authorisation info in both the web and EJB layers.

Does anyone have an example?

Support for JBoss ›
Sat, 04/12/2008 - 1:24pm — lhazlewood

Re: Simple web to EJB3 authentication

Hi Geoff,

When you say EJB3 session, what do you mean exactly? The HttpSession or an EJB Stateful Session Bean? Please clarify.

Also, in JSecurity 0.9 beta and moving forward, this line:

// ...and more methods here ...

would be something like this:

Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
subject.authenticate(token);
return getUserService().getUser( subject.getPrincipal() );

Sat, 04/12/2008 - 9:23pm — geoffcallender

Re: Simple web to EJB3 authentication

Oops, I meant EJB3 Session Bean.
This line:

// ...and more methods here ...

is in the session bean's interface ISecurityFinderSvcRemote.

Are you intending the code you replaced it with to run in the web server or the session bean?

Tue, 04/15/2008 - 9:02am — lhazlewood

Re: Re: Simple web to EJB3 authentication

I suppose another question would be is, are you using the JSecurityFilter in web.xml? Or are you setting up JSecurity outside of a web environment?

Tue, 04/15/2008 - 8:59am — lhazlewood

Re: Re: Simple web to EJB3 authentication

Technically it shouldn't matter. The JSecurity API was designed to be both container and tier-independent. In other words, the code chunk should perform identically in a web app, a Swing application, a headless server, etc.

Although we have tested the API extensively on non-EJB3 server environments (web, non-web) as well as all sorts of client environments, I don't know that there is framework code set up yet to make EJB3 work without doing anything. Could you describe the scenario that you're trying to accomplish a little more (10,000 foot overview of the use case)? If it leads to us providing better EJB3 support, that would be a big benefit to both you and the community.

Thanks!

Les

Wed, 04/16/2008 - 12:08am — geoffcallender

Re: Simple web to EJB3 authentication

Sure. The requirement is

* a login screen on web UI.
* existing database holds authentication info (users and passwords) and authorisation info (roles and perhaps function rights and data rights).
* web layer calls business layer (session facade thru session beans) to authenticate user because web layer cannot see the database.
* web layer calls business layer to get authorisation info. OK for this to be static - ie. once per web session.
* web layer uses the authorisation info to disable certain buttons and menu options.
* business layer uses authorisation info to prevent use of certain business facade APIs.
* business layer might use authorisation info to filter the requests or the data it returns.

Ideally both the web and business layers could continue to use the existing entities as much as possible and the JSecurity entities such as Subject and Account would appear in the code as little as possible (unless that's impractical - what do you think?).

The business layer will probably be local to the web layer (in same JBoss server).

As for the JSecurityFilter, I found I had to include it in web.xml for this line to work in the login page:

Subject currentUser = SecurityUtils.getSubject();

Cheers,

Geoff

Mon, 05/12/2008 - 8:39am — jhaile

JSecurity in EJB3 environment

If I'm understanding you correctly, you want to keep your code as similar as possible, but use JSecurity under the hood.

You can simply modify your authenticateUser method to call subject.authenticate(..) internally. In order for SecurityUtils.getSubject() to work, you do have to include a JSecurityFilter in your web.xml. However, in a non-web based environment you could simply obtain a reference to SecurityManager and call SecurityManager.getSubject(...).

How you obtain SecurityManager depends on your environment - you could create a SecurityManager and bind it to JNDI, then inject it into your EJB using an @Resource annotation.

Alternatively, creating a JSecurityFilter should work fine in a web-based environment and does not rule out accessing JSecurity in the business-tier. It simply binds security context related objects to the request thread for easy access. (that's what allows SecurityUtils.getSubject() to function correctly)

If you could explain how you would like this process to work in your environment (perhaps some sample code), we can provide more detailed information or maybe even improve JSecurity to work better in your environment.

Thu, 04/17/2008 - 10:18am — lhazlewood

Re: Re: Simple web to EJB3 authentication

Hi Geoff,

I haven't forgotten about you ;) I was just traveling yesterday and I'll be busy with a deadline today. But I or one of the other developers will answer as soon as we can!

Les

Mon, 05/12/2008 - 7:18am — geoffcallender

Re: Re: Simple web to EJB3 authentication

Are you sure you haven't forgotten? I'm really keen to get this going so I can incorporate it into Tapestry JumpStart (http://files.doublenegative.com.au/jumpstart/).

Geoff

Tue, 05/13/2008 - 2:36pm — lhazlewood

Re: Re: Re: Simple web to EJB3 authentication

Hi Geoff,

Good news. There has been quite a bit of discussion on the dev list lately on how to support this cleanly. I think we've come up with a good solution.

Here are the threads in case you're curious about following along:

  1. JSecurity in EJB3 Environments
  2. And as a further, more broad clarification of #1:
    Environment-specific Configuration (was JSecurity in EJB3 Environments)

I hope to have some sense of an implementation of this over the next week.

Please let me know if you have any comments or suggestions.

Cheers,

Les

Mon, 05/12/2008 - 8:02am — lhazlewood

Re: Re: Re: Simple web to EJB3 authentication

Hi Geoff,

Nope, I haven't forgotten!

But I am sorry that it is taking longer than desired. I'll definitely make this a priority over the next few days.

Can you describe to me your ideal deployment scenario?

Currently the JSecurityFilter in web.xml creates a SecurityManager. The SecurityManager needs one or more Realms to be injected into it in order for JSecurity to talk to your data sources. In an EJB3 environment, how should the JSecurityFilter acquire the Realms? A collection of Realms bound to JNDI?

In our Spring support, the users define the JSecurity SecurityManager in a spring.xml file. The SpringJSecurityFilter just does a Spring applicationContext.getBean("securityManager"); call and we have what we need. I'm trying to see a parallel scenario in an EJB3 environment.

Just thinking out loud here - any feedback on what you would like would be most helpful and then I can focus my efforts there.

Thanks Geoff!

Les