Permalink
Browse files

Added new quickstart security quick starts< ejb-security, servlet-sec…

…urity>
  • Loading branch information...
Sherif Makary
Sherif Makary committed Mar 2, 2012
1 parent 8dd4a28 commit cc6f78928a8b13d0cb9b742620bae4f060c3149a
View
@@ -0,0 +1,61 @@
+EJB Security Example
+
+Author: Sherif Makary, RH MW SA
+
+This example demonstrates the use of JEE declarative security to control access to EJB 3 and Security in JBoss EAP 6
+
+The example can be deployed using Maven from the command line or from Eclipse using JBoss Tools.
+
+To set up Maven or JBoss Tools in Eclipse, refer to the Getting Started Developing Applications Guide.
+
+To deploy to JBoss AS 7, start JBoss AS 7 and type mvn package jboss-as:deploy. The application is deployed to http://localhost:8080/jboss-as-secured-servlet/CallSecuredEJBServlet. You can read more details in the Getting Started Developing Applications Guide.
+
+To implement EJB security, you need to:
+-Add a security-domain to your jboss-web.xml
+-Configure a security domain in standalone.xml
+-Have users.properties and roles.properties files in WEB-INF/classes directory of your web application
+
+To implement EJB declerative security, you need to:
+-Add security annotations to your EJB declaration
+-Make sure the allowed user role is the same as the role defined in roles.properties file
+-Make sure the security domain referenced in jboss-web.xml is defined in the EAP 6 standalone.xml, this is the configuration snipt:
+
+<security-domain name="WebSecurityBasic" cache-type="required"></pre>
+
+<authentication>
+
+<login-module code="UsersRoles" flag="required">
+
+<module-option name="usersProperties" value="users.properties"/>
+
+<module-option name="rolesProperties" value="roles.properties"/>
+
+</login-module>
+
+</authentication>
+
+</security-domain>
+
+For references, please refer to:
+
+Getting Started Developing Applications Guide.
+JBoss AS7: Security : EJB3 Security.
+
+Test Scenario:
+-After successful war deployment to EAP 6
+-Run the url http://localhost:8080/jboss-as-ejb-security/CallSecuredEJBServlet
+-You should get a browser log-in challenge
+-After successful login using admin/admin, the browser will display some security info:
+
+"Successfully called Secured EJB
+
+Principal : admin
+
+Remote User : admin
+
+Authentication Type : BASIC
+"
+
+
+-Change the role in roles.properties to "gooduser1"
+-Redeploy the war and refresh the browser and clear the active login and you should get a security exception.
View
@@ -0,0 +1,114 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>org.jboss.as.quickstarts</groupId>
+ <artifactId>jboss-as-ejb-security</artifactId>
+ <version>7.0.2.CR4</version>
+ <packaging>war</packaging>
+ <name>JBoss AS Quickstarts: ejb-security</name>
+ <description>JBoss AS Quickstarts: ejb-security</description>
+
+ <url>http://jboss.org/jbossas</url>
+ <licenses>
+ <license>
+ <name>Apache License, Version 2.0</name>
+ <distribution>repo</distribution>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+ </license>
+ </licenses>
+
+ <properties>
+ <!-- Explicitly declaring the source encoding eliminates the following
+ message: -->
+ <!-- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered
+ resources, i.e. build is platform dependent! -->
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- Define the version of JBoss' Java EE 6 APIs we want to use -->
+ <!-- JBoss distributes a complete set of Java EE 6 APIs including
+ a Bill of Materials (BOM). A BOM specifies the versions of a "stack" (or
+ a collection) of artifacts. We use this here so that we always get the correct
+ versions of artifacts. Here we use the jboss-javaee-6.0 stack (you can
+ read this as the JBoss stack of the Java EE 6 APIs). You can actually
+ use this stack with any version of JBoss AS that implements Java EE 6, not
+ just JBoss AS 7! -->
+ <dependency>
+ <groupId>org.jboss.spec</groupId>
+ <artifactId>jboss-javaee-6.0</artifactId>
+ <version>3.0.0.Beta1-redhat-1</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+
+ <!-- Import the CDI API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>javax.enterprise</groupId>
+ <artifactId>cdi-api</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Common Annotations API (JSR-250), we use provided scope
+ as the API is included in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.annotation</groupId>
+ <artifactId>jboss-annotations-api_1.1_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Servlet API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.servlet</groupId>
+ <artifactId>jboss-servlet-api_3.0_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.jboss.spec.javax.ejb</groupId>
+ <artifactId>jboss-ejb-api_3.1_spec</artifactId>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <!-- Set the name of the war, used as the context root when the app
+ is deployed -->
+ <finalName>jboss-as-ejb-security</finalName>
+ <plugins>
+ <plugin>
+ <artifactId>maven-war-plugin</artifactId>
+ <version>2.1.1</version>
+ <configuration>
+ <!-- Java EE 6 doesn't require web.xml, Maven needs to catch
+ up! -->
+ <failOnMissingWebXml>false</failOnMissingWebXml>
+ </configuration>
+ </plugin>
+ <!-- JBoss AS plugin to deploy war -->
+ <plugin>
+ <groupId>org.jboss.as.plugins</groupId>
+ <artifactId>jboss-as-maven-plugin</artifactId>
+ <version>7.1.0.CR1</version>
+ </plugin>
+ <!-- Compiler plugin enforces Java 1.6 compatibility and activates
+ annotation processors -->
+ <plugin>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.1</version>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
@@ -0,0 +1,91 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary Red Hat MW SA.*/
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.ejb.EJB;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.jboss.as.quickstarts.ejb_security.SecuredEJB;
+
+/**
+ * <p>
+ * Simple Servlet calling secured ejb
+ * using Servlet 3 security annotations
+ * Upon successful authentication and authorization the servlet
+ * will call the secured ejb and retrieve the principal name
+ * </p>
+ *
+ *
+ *
+ * @author Sherif Makary MW SA
+ *
+ */
+@SuppressWarnings("serial")
+@WebServlet("/CallSecuredEJBServlet")
+
+public class CallSecuredEJBServlet extends HttpServlet {
+
+ static String PAGE_HEADER = "<html><head /><body>";
+
+ static String PAGE_FOOTER = "</body></html>";
+
+ //Injecting the Secured EJB
+ @EJB
+ private SecuredEJB securedEJB;
+
+ /**
+ * <p>
+ * Servlet entry point method which calls securedEJB.getSecurityInfo()
+ * </p>
+ * */
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ PrintWriter writer = resp.getWriter();
+ //Get user principal
+ String principal = null;
+ String authType = null;
+ String remoteUser=null;
+
+ //Get security principal
+ principal = securedEJB.getSecurityInfo();
+ //Get user name from login principal
+ remoteUser = req.getRemoteUser();
+ //Get authentication type
+ authType = req.getAuthType();
+
+
+ writer.println(PAGE_HEADER);
+ writer.println("<h1>" + "Successfully called Secured EJB " + "</h1>");
+ writer.println("<p>" + "Principal : " + principal + "</p>");
+ writer.println("<p>" + "Remote User : " + remoteUser +"</p>");
+ writer.println("<p>" + "Authentication Type : " + authType + "</p>");
+ writer.println(PAGE_FOOTER);
+ writer.close();
+ }
+
+}
@@ -0,0 +1,40 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary Red Hat MW SA.*/
+
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import javax.ejb.Local;;
+
+
+/**
+ * <p>
+ * Simple secured ejb Interface
+ * </p>
+ *
+ * @author Sherif Makary MW SA
+ *
+ */
+
+@Local
+public interface SecuredEJB {
+ public String getSecurityInfo();
+
+}
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary Red Hat MW SA.*/
+
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import javax.ejb.Stateless;
+import org.jboss.as.quickstarts.ejb_security.SecuredEJB;
+import java.security.Principal;
+import javax.ejb.SessionContext;
+import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
+
+/**
+ * <p>
+ * Simple secured ejb
+ * using ejb security annotations
+ * </p>
+ *
+ * @author Sherif Makary MW SA
+ *
+ */
+
+public @Stateless class SecuredEJBBean implements SecuredEJB {
+
+ private Principal principal= null;
+
+ //Inject Session Context
+ @Resource SessionContext ctx;
+
+ /**
+ * <p>
+ * sample Secured ejb method using security annotations
+ * </p>
+ *
+ */
+
+ @Override
+ @RolesAllowed({"gooduser"})
+ public String getSecurityInfo()
+ {
+ //Session context injected using the resource annotation
+ principal = ctx.getCallerPrincipal();
+
+ return principal.toString();
+ }
+
+
+
+}
@@ -0,0 +1,7 @@
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="
+ http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
+</beans>
@@ -0,0 +1 @@
+admin=gooduser
@@ -0,0 +1 @@
+admin=admin
Oops, something went wrong.

0 comments on commit cc6f789

Please sign in to comment.