-
1. Re: EJB Server to Server Security
jaikiran Jun 10, 2012 8:13 AM (in response to henry.short)Hmm good question. Looking at the jboss-as-remoting xsd I don't see a way to do this without explicitly setting the username attribute for the remote outbound connection. I think this could be a feature request, but let me check with Darran and see if he agrees.
-
2. Re: EJB Server to Server Security
henry.short Jun 10, 2012 12:29 PM (in response to jaikiran)Thanks for prompt response. Is the user authenticated in the remote outbound connection in the standalone.xml, the user that will be associated with the the EJB call to getCallerPrincipal()?
Here is my situation: EJB on Server A calls EJB on Server B. I want the caller principal associated with EJB on Server A to be associated with the EJB on Server B. So when EJB on Server B calls getCallerPrincipal it will return the principal from EJB on Server A, not the user specified in the standalone.xml.
Is the user specified in standalone.xml going to be returned when EJB on Server B calls getCallerPrincipal?
If not, how do I pass the EJB principal from Server A to Server B?
Would I use calls like:
jndiProperties.put(Context.SECURITY_PRINCIPAL, [EJB Principal]);
jndiProperties.put(Context.SECURITY_CREDENTIALS, [EJB Credentials]);
-
3. Re: EJB Server to Server Security
henry.short Jun 14, 2012 1:14 AM (in response to henry.short)Any ideas would really help me out? There must be a way to pass the EJB caller principal from Server A to Server B. This was possible in older versions of JBoss.
-
4. Re: EJB Server to Server Security
rodakr Jun 14, 2012 4:22 AM (in response to henry.short)I also need security context propagation.
In Weblogic you have something called "Domain Trust". What is basically does is trust principals authenticated os same "security domain". This is achieved with encrypted "domain credential". I guest some digest ist attached to authenticated principal. When remote server can decrypt it and it match the "domain credential" on remote server, then authentication is successful and principlas are trusted.
-
5. Re: EJB Server to Server Security
henry.short Jun 21, 2012 10:15 AM (in response to rodakr)Any ideas how to pass EJB security credentials from server to server without hardcoding the EJB user in standalone.xml? I won't be able to use JBoss 7 unless there is a way to do this.
-
-
7. Re: EJB Server to Server Security
henry.short Jun 21, 2012 3:32 PM (in response to jaikiran)Thanks for all your help Jaikiran. I will keep watch for that issue to be resolved. As a workaround for JBoss 7.1.1 would it be possible to use the JBoss Remote Naming option and pass the credentials through properties like the following? Can this code be used for EJB Server to Server calls or only from a Standalone client?
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL,"remote://[Remote Host]:4447");
jndiProperties.put(Context.SECURITY_PRINCIPAL, username);
jndiProperties.put(Context.SECURITY_CREDENTIALS, password);
Context context = new InitialContext(jndiProperties); -
8. Re: EJB Server to Server Security
jaikiran Jun 22, 2012 7:17 AM (in response to henry.short)Although you can use that, it's going to be no different, since ultimately for EJB invocations the remote-naming in the absence of the jboss.naming.client.ejb.context JNDI property is going to let EJB client API control the EJB receiver creation. This ultimately means that the EJB client API is going to rely on the jboss-ejb-client.xml file for using the information in there for connection creation.
Setting jboss.naming.client.ejb.context to true in the JNDI properties on the server side, isn't allowed since that will trigger remote-naming API to take control of EJB receiver(s) creation and setting the EJBClientContextSelector, which isn't allowed on the server side.
-
9. Re: EJB Server to Server Security
rob.edgecombe Jul 22, 2012 8:47 PM (in response to henry.short)Hi Henry,
I have also hit this issue and was wondering if:
- the approach you outline here does in fact work (ie this bypasses the remote-outbound-connection) ;or
- if Jaikiran's response is true (ie that you cannot get around the remote-outbound-connection configuration).
We have a network topology that dictates Web and Business resources are on separate VMs, so this is a potential showstopper for us.
-
10. Re: EJB Server to Server Security
mcconnells Aug 3, 2012 11:27 AM (in response to henry.short)In the issue AS7-5147, notes indicate that work has commenced targeting AS7.2 alpha 1 scheduled for the 16 August 2012. Is that date safe to schedule against. Is there a target schedule for AS7.2 final? With resolution of this item I have at least a couple of projects that I could position AS7.2 as a candidate platform.
-
11. Re: EJB Server to Server Security
henry.short Aug 16, 2012 5:14 PM (in response to mcconnells)Jaikiran's response is true, you cannot get around this limitation.
-
12. Re: EJB Server to Server Security
robby.cornelissen Apr 30, 2013 11:10 PM (in response to jaikiran)Hi Jaikiran,
I'm also facing this issue. In the absence of the feature specified in https://issues.jboss.org/browse/AS7-5047, what would be a good way to pass the user principal authenticated on server A (using servlet authentication) to an EJB invoked remotely on server B?
I've been scouring the internet for a couple of days now, and have yet to find an elegant solution. My code base is pretty big, and having to add user information as a parameter to every method will require some major refactoring. Note that I only need the user information for auditing purposes. As far as security goes, I followed the approach you described in https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+server+instance, which worked like a charm.
Thanks for your feedback
-
13. Re: EJB Server to Server Security
jaikiran Apr 30, 2013 11:59 PM (in response to robby.cornelissen)Robby Cornelissen wrote:
Hi Jaikiran,
I'm also facing this issue. In the absence of the feature specified in https://issues.jboss.org/browse/AS7-5047, what would be a good way to pass the user principal authenticated on server A (using servlet authentication) to an EJB invoked remotely on server B?
Does this help https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/ejb-security-interceptors?
-
14. Re: EJB Server to Server Security
robby.cornelissen May 1, 2013 12:21 AM (in response to jaikiran)Looks like it might :-) Will give it a try later today, and see where I end up.
Thanks for your help,
R.