subject:"\[JBoss\-user\] \[Security \& JAAS\/JBoss\] \- Re\: newbie\: JAAS howto using EJB3"

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

2005-11-15 Thread oglueck

1. Webapps are web clients, not application clients. Webapps should therefore 
use the security mechanisms provided by the J2EE specs. i.e. you define the 
realm and roles to use in the web.xml and jboss-web.xml
JAAS and the servlet container do the rest. The security context is 
automatically propagated with your EJB calls. That means in web clients there 
is no code necessary. It is pure configuration.

2. Yes. You can also define a dynamic login config, so you are able to deploy 
the config with your application. see 
http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

3. This is the configuration for JAAS. RTFM at 
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html

4. Of course. We call this a "role". Access control is enforced on session 
beans. Not sure if you can enforce it on entity beans, too. Check the specs.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907212#3907212

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907212


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

2005-11-15 Thread patrick_ibg

One more newbie question :)

4. Does JAAS (or some other JBoss security mechanism) allow for "owner" 
permissions, like if I am a "Customer", I can only modify my "Address", etc.



View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907206#3907206

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907206


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

2005-11-15 Thread patrick_ibg

The annotations seem to get rid of alot of XML that I see with EJB2.1 based 
security configuration examples. I have a few additional questions...

1. Would the client code be much different if it was a web app (war file 
running in JBoss)?

2. As for the "conf/login-config.xml", it looks like I can only have one per 
JBoss instance, but can define multiple domains within this file?

3. What is jaas.conf for, and where does it go?

Thanks in advance.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907203#3907203

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907203


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

2005-11-15 Thread oglueck

Your session bean:
@SecurityDomain("mydomain")
@Stateless
@Remote({ITestBean.class})
public class TestBean implements ITestBean {
@RolesAllowed("myrole")
public String accessPermitted() {
   return sc.getCallerPrincipal().getName();
}
}

Define the security domain in conf/login-config.xml:

   
  
 guest
 java:/myDS
 SELECT PASSWD FROM USERS 
WHERE USERID=?
 SELECT ROLEID, 'Roles' FROM 
ROLES WHERE USERID=?
  
   



>From a client (outside JBoss):
ClassLoader cl = Thread.currentThread().getContextClassLoader();
URL authconf = cl.getResource("jaas.conf");
// work around a JDK bug that fails to unescape the URL
String p = URLDecoder.decode(authconf.toExternalForm(), "UTF-8");
System.setProperty("java.security.auth.login.config", p);

CallbackHandler handler = ; // your JAAS callback handler
LoginContext auth = new LoginContext("other", handler);
auth.login();

// make calls to session beans
Context jndi = new InitialContext();
ITestBean bean = (ITestBean) jndi.lookup(ITestBean.class.getName());
log.debug(bean.accessPermitted());
auth.logout();


jaas.conf is something like this:
other {
   org.jboss.security.ClientLoginModule  required;
};
 

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907174#3907174

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907174


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

[JBoss-user] [Security & JAAS/JBoss] - Re: newbie: JAAS howto using EJB3

4 matches

Site Navigation

Mail list logo

Footer information