Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added EJB Security

  • Loading branch information...
commit d089fd94f8437ec7057017506114db5e35f557e9 1 parent fda84c9
Sherif Makary authored pmuir committed
View
71 ejb-security/README.md
@@ -0,0 +1,71 @@
+ejb-security: Using JEE Declarative Security to Control Access to EJB 3
+====================
+Author: Sherif F. Makary
+
+This example demonstrates the use of JEE declarative security to control access to EJB 3 and Security in JBoss AS7 and JBoss Enterprise Application Platform 6.
+
+The example can be deployed using Maven from the command line or from Eclipse using JBoss Tools.
+
+The following are the steps required to implement EJB security:
+
+1. The application will use a security domain that is defined in the application server standalone.xml that is called "other"
+2. Add a user called "UserA" with password = "password" and belongs to a role called "gooduser" and realm "ApplicationRealm", for more information regarding how to add a user using the "add-user" utility, please refer to the quick starts root readme.md file
+3. A security-domain reference for the "other" security domain is added to /webapp/WEB-INF/jboss-web.xml, please note, jboss-web.xml is used for WAR packaging, if you would like to package the EJB in a JAR you would need to use jboss-ejb.xml instead
+4. A security-constraints is added to the /webapp/WEB-INF/web.xml
+5. Security annotations are added to the EJB declaration
+Please note the allowed user role "gooduser" in the annotation -`@RolesAllowed`- is the same as the user role defined in step 2
+
+For more information, refer to the <a href="https://docs.jboss.org/author/display/AS71/Getting+Started+Developing+Applications+Guide" title="Getting Started Developing Applications Guide">Getting Started Developing Applications Guide</a> and find Security --> EJB3 Security.
+
+
+## Deploying the Quickstart
+
+First you need to start JBoss AS 7 (or JBoss Enterprise Application Platform 6). To do this, run
+
+ $JBOSS_HOME/bin/standalone.sh
+
+or if you are using Windows
+
+ $JBOSS_HOME/bin/standalone.bat
+
+To deploy the application, you first need to produce the archive:
+
+ mvn clean package
+
+
+You can now deploy the artifact to JBoss AS by executing the following command:
+
+ mvn jboss-as:deploy
+
+This will deploy `target/jboss-as-ejb-security` to the running instance of JBoss AS.
+
+## Testing the Quickstart
+
+The application will be running at the following URL <http://localhost:8080/jboss-as-ejb-security/>.
+
+When you access the application, you should get a browser login challenge.
+
+After a successful login using admin/admin, the browser will display the following security info:
+
+ Successfully called Secured EJB
+
+ Principal : admin
+ Remote User : admin
+ Authentication Type : BASIC
+
+Change the role in the quickstart /src/main/webapp/WEB-INF/classes/roles.properties files to 'gooduser1'.
+Rebuild the application using by typing the following command:
+
+ mvn clean package
+
+Re-deploy the application by typing:
+
+ mvn jboss-as:deploy
+
+Refresh the browser, clear the active login, and you should get a security exception similar to the following:
+
+ HTTP Status 403 - Access to the requested resource has been denied
+
+ type Status report
+ message Access to the requested resource has been denied
+ description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
View
105 ejb-security/pom.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>org.jboss.as.quickstarts</groupId>
+ <artifactId>jboss-as-ejb-security</artifactId>
+ <version>7.1.1-SNAPSHOT</version>
+ <packaging>war</packaging>
+ <name>JBoss AS Quickstarts: ejb-security</name>
+ <description>JBoss AS Quickstarts: ejb-security</description>
+
+ <url>http://jboss.org/jbossas</url>
+ <licenses>
+ <license>
+ <name>Apache License, Version 2.0</name>
+ <distribution>repo</distribution>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+ </license>
+ </licenses>
+
+ <properties>
+ <!-- Explicitly declaring the source encoding eliminates the following
+ message: -->
+ <!-- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered
+ resources, i.e. build is platform dependent! -->
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- Define the version of JBoss' Java EE 6 APIs we want to use -->
+ <!-- JBoss distributes a complete set of Java EE 6 APIs including
+ a Bill of Materials (BOM). A BOM specifies the versions of a "stack" (or
+ a collection) of artifacts. We use this here so that we always get the correct
+ versions of artifacts. Here we use the jboss-javaee-6.0 stack (you can
+ read this as the JBoss stack of the Java EE 6 APIs). You can actually
+ use this stack with any version of JBoss AS that implements Java EE 6, not
+ just JBoss AS 7! -->
+ <dependency>
+ <groupId>org.jboss.spec</groupId>
+ <artifactId>jboss-javaee-6.0</artifactId>
+ <version>3.0.0.Beta1</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+
+ <!-- Import the CDI API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>javax.enterprise</groupId>
+ <artifactId>cdi-api</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Common Annotations API (JSR-250), we use provided scope
+ as the API is included in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.annotation</groupId>
+ <artifactId>jboss-annotations-api_1.1_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Servlet API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.servlet</groupId>
+ <artifactId>jboss-servlet-api_3.0_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.jboss.spec.javax.ejb</groupId>
+ <artifactId>jboss-ejb-api_3.1_spec</artifactId>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <!-- Set the name of the war, used as the context root when the app
+ is deployed -->
+ <finalName>jboss-as-ejb-security</finalName>
+ <plugins>
+ <!-- JBoss AS plugin to deploy war -->
+ <plugin>
+ <groupId>org.jboss.as.plugins</groupId>
+ <artifactId>jboss-as-maven-plugin</artifactId>
+ <version>7.1.0.Final</version>
+ </plugin>
+ <!-- Compiler plugin enforces Java 1.6 compatibility and activates
+ annotation processors -->
+ <plugin>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.1</version>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
View
86 ejb-security/src/main/java/org/jboss/as/quickstarts/ejb_security/CallSecuredEJBServlet.java
@@ -0,0 +1,86 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary */
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.ejb.EJB;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.jboss.as.quickstarts.ejb_security.SecuredEJB;
+
+/**
+ * <p>
+ * Simple Servlet calling secured ejb
+ * using Servlet 3 security annotations
+ * Upon successful authentication and authorization the servlet
+ * will call the secured ejb and retrieve the principal name
+ * </p>
+ * @author Sherif Makary
+ *
+ */
+@SuppressWarnings("serial")
+@WebServlet("/CallSecuredEJBServlet")
+
+public class CallSecuredEJBServlet extends HttpServlet {
+
+ static String PAGE_HEADER = "<html><head /><body>";
+
+ static String PAGE_FOOTER = "</body></html>";
+
+ //Inject the Secured EJB
+ @EJB
+ private SecuredEJB securedEJB;
+
+ /**
+ * <p>
+ * Servlet entry point method which calls securedEJB.getSecurityInfo()
+ * </p>
+ * */
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ PrintWriter writer = resp.getWriter();
+ String principal = null;
+ String authType = null;
+ String remoteUser=null;
+
+ //Get security principal
+ principal = securedEJB.getSecurityInfo();
+ //Get user name from login principal
+ remoteUser = req.getRemoteUser();
+ //Get authentication type
+ authType = req.getAuthType();
+
+ writer.println(PAGE_HEADER);
+ writer.println("<h1>" + "Successfully called Secured EJB " + "</h1>");
+ writer.println("<p>" + "Principal : " + principal + "</p>");
+ writer.println("<p>" + "Remote User : " + remoteUser +"</p>");
+ writer.println("<p>" + "Authentication Type : " + authType + "</p>");
+ writer.println(PAGE_FOOTER);
+ writer.close();
+ }
+
+}
View
40 ejb-security/src/main/java/org/jboss/as/quickstarts/ejb_security/SecuredEJB.java
@@ -0,0 +1,40 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary */
+
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import javax.ejb.Local;;
+
+
+/**
+ * <p>
+ * Simple secured ejb Interface
+ * </p>
+ *
+ * @author Sherif Makary MW SA
+ *
+ */
+
+@Local
+public interface SecuredEJB {
+ public String getSecurityInfo();
+
+}
View
65 ejb-security/src/main/java/org/jboss/as/quickstarts/ejb_security/SecuredEJBBean.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary Red Hat MW SA.*/
+
+
+package org.jboss.as.quickstarts.ejb_security;
+
+import javax.ejb.Stateless;
+import org.jboss.as.quickstarts.ejb_security.SecuredEJB;
+import java.security.Principal;
+import javax.ejb.SessionContext;
+import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
+
+/**
+ * <p>
+ * Simple secured ejb
+ * using ejb security annotations
+ * </p>
+ *
+ * @author Sherif Makary
+ *
+ */
+
+@Stateless
+public class SecuredEJBBean implements SecuredEJB {
+
+ private Principal principal= null;
+
+ //Inject Session Context
+ @Resource SessionContext ctx;
+
+ /**
+ * <p>
+ * sample Secured ejb method using security annotations
+ * </p>
+ *
+ */
+
+ @Override
+ @RolesAllowed({"gooduser"})
+ public String getSecurityInfo()
+ {
+ //Session context injected using the resource annotation
+ principal = ctx.getCallerPrincipal();
+
+ return principal.toString();
+ }
+}
View
6 ejb-security/src/main/webapp/WEB-INF/jboss-web.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<jboss-web>
+ <security-domain>other</security-domain>
+ <disable-audit>true</disable-audit>
+</jboss-web>
View
24 ejb-security/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>*</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>gooduser</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-role>
+ <role-name>gooduser</role-name>
+ </security-role>
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>RealmUsersRoles</realm-name>
+ </login-config>
+</web-app>
+
View
7 ejb-security/src/main/webapp/index.html
@@ -0,0 +1,7 @@
+<!-- Plain HTML page that kicks us into the app -->
+
+<html>
+<head>
+<meta http-equiv="Refresh" content="0; URL=CallSecuredEJBServlet">
+</head>
+</html>
Please sign in to comment.
Something went wrong with that request. Please try again.