1 2 Previous Next 20 Replies Latest reply on May 28, 2013 9:37 AM by dlofthouse

    EJB Server to Server Security

    henry.short

      The EJB Invocations from a Remote Server guide provided a great solution for authenticating a single user calling a remote EJB. I want to be able to authenticate different users calling remote EJBs rather than hardcoding a single user in standalone.xml. Is there a way to specify the user and password programmitcally rather than in the standalone.xml for EJB invocations from server to server instance?

        • 1. Re: EJB Server to Server Security
          jaikiran

          Hmm good question. Looking at the jboss-as-remoting xsd I don't see a way to do this without explicitly setting the username attribute for the remote outbound connection. I think this could be a feature request, but let me check with Darran and see if he agrees.

          • 2. Re: EJB Server to Server Security
            henry.short

            Thanks for prompt response. Is the user authenticated in the remote outbound connection in the standalone.xml, the user that will be associated with the the EJB call to getCallerPrincipal()?

             

            Here is my situation: EJB on Server A calls EJB on Server B. I want the caller principal associated with EJB on Server A to be associated with the EJB on Server B. So when EJB on Server B calls getCallerPrincipal it will return the principal from EJB on Server A, not the user specified in the standalone.xml.

             

            Is the user specified in standalone.xml going to be returned when EJB on Server B calls getCallerPrincipal?

            If not, how do I pass the EJB principal from Server A to Server B?

            Would I use calls like:

              jndiProperties.put(Context.SECURITY_PRINCIPAL, [EJB Principal]);

              jndiProperties.put(Context.SECURITY_CREDENTIALS, [EJB Credentials]);

            • 3. Re: EJB Server to Server Security
              henry.short

              Any ideas would really help me out? There must be a way to pass the EJB caller principal from Server A to Server B. This was possible in older versions of JBoss.

              • 4. Re: EJB Server to Server Security
                rodakr

                I also need security context propagation.

                In Weblogic  you have something called "Domain Trust". What is basically does is trust principals authenticated os same "security domain". This is achieved with encrypted "domain credential". I guest some digest ist attached to authenticated  principal. When remote server can decrypt it and it match the "domain credential" on remote server, then authentication is successful and principlas are trusted.

                • 5. Re: EJB Server to Server Security
                  henry.short

                  Any ideas how to pass EJB security credentials from server to server without hardcoding the EJB user in standalone.xml? I won't be able to use JBoss 7 unless there is a way to do this.

                  • 6. Re: EJB Server to Server Security
                    jaikiran
                    • 7. Re: EJB Server to Server Security
                      henry.short

                      Thanks for all your help Jaikiran. I will keep watch for that issue to be resolved. As a workaround for JBoss 7.1.1 would it be possible to use the JBoss Remote Naming option and pass the credentials through properties like the following? Can this code be used for EJB Server to Server calls or only from a Standalone client?

                       

                            jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                            jndiProperties.put(Context.PROVIDER_URL,"remote://[Remote Host]:4447");
                            jndiProperties.put(Context.SECURITY_PRINCIPAL, username);
                            jndiProperties.put(Context.SECURITY_CREDENTIALS, password);
                            Context context = new InitialContext(jndiProperties);     

                      • 8. Re: EJB Server to Server Security
                        jaikiran

                        Although you can use that, it's going to be no different, since ultimately for EJB invocations the remote-naming in the absence of the jboss.naming.client.ejb.context JNDI property is going to let EJB client API control the EJB receiver creation. This ultimately means that the EJB client API is going to rely on the jboss-ejb-client.xml file for using the information in there for connection creation.

                         

                        Setting jboss.naming.client.ejb.context to true in the JNDI properties on the server side, isn't allowed since that will trigger remote-naming API to take control of EJB receiver(s) creation and setting the EJBClientContextSelector, which isn't allowed on the server side.


                        • 9. Re: EJB Server to Server Security
                          rob.edgecombe

                          Hi Henry,

                           

                          I have also hit this issue and was wondering if:

                          • the approach you outline here does in fact work (ie this bypasses the remote-outbound-connection) ;or
                          • if Jaikiran's response is true (ie that you cannot get around the remote-outbound-connection configuration).

                           

                          We have a network topology that dictates Web and Business resources are on separate VMs, so this is a potential showstopper for us.

                          • 10. Re: EJB Server to Server Security
                            mcconnells

                            In the issue AS7-5147, notes indicate that work has commenced targeting AS7.2 alpha 1 scheduled for the 16 August 2012.  Is that date safe to schedule against.  Is there a target schedule for AS7.2 final? With resolution of this item I have at least a couple of projects that I could position AS7.2 as a candidate platform.

                             

                             

                            • 11. Re: EJB Server to Server Security
                              henry.short

                              Jaikiran's response is true, you cannot get around this limitation.

                              • 12. Re: EJB Server to Server Security
                                robby.cornelissen

                                Hi Jaikiran,

                                 

                                I'm also facing this issue. In the absence of the feature specified in https://issues.jboss.org/browse/AS7-5047, what would be a good way to pass the user principal authenticated on server A (using servlet authentication) to an EJB invoked remotely on server B?

                                 

                                I've been scouring the internet for a couple of days now, and have yet to find an elegant solution. My code base is pretty big, and having to add user information as a parameter to every method will require some major refactoring. Note that I only need the user information for auditing purposes. As far as security goes, I followed the approach you described in https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+server+instance, which worked like a charm.

                                 

                                Thanks for your feedback

                                • 13. Re: EJB Server to Server Security
                                  jaikiran

                                  Robby Cornelissen wrote:

                                   

                                  Hi Jaikiran,

                                   

                                  I'm also facing this issue. In the absence of the feature specified in https://issues.jboss.org/browse/AS7-5047, what would be a good way to pass the user principal authenticated on server A (using servlet authentication) to an EJB invoked remotely on server B?

                                   

                                   

                                  Does this help https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/ejb-security-interceptors?

                                  • 14. Re: EJB Server to Server Security
                                    robby.cornelissen

                                    Looks like it might :-) Will give it a try later today, and see where I end up.

                                     

                                    Thanks for your help,

                                     

                                    R.

                                    1 2 Previous Next