I am working on a large existing EJB 1.1 application that current does its own sercurity and has no EJB managed security.
I am trying to move to a more standard solution in small steps, and so I want to start controlling the security Principle being passed to the EJB. I am not going to be able to change the current login or security framework, so I don't belive I can move to JAAS at the present time.
Once I have created a java.security.Principle where do I store it so it 开发者_如何学Gois passed in my ejb calles and avalable from context.getCallerPrincipal()?
Thanks.
Java EE security is a bit a all-or-nothing thing. You are supposed to use Java EE authentication mechanism to have the security context correctly set. As you can see, the EJBContext
that you can obtain through injection is read-only.
The only standard way I'm aware of to change the security context, is using things like @RunAs
(See an example), but it's very inflexible. You can not pass credential dynamically.
There are some non-portable container-specific mechanism, for instance Glassfish has ProgrammaticLogin
. But even in this case, you need to pass the username/password, you can not just change the Principal
on the fly.
I remember reading articles where they explained how to set the security context manually using internal API of the container, but it's of course non-portable and not supported.
The new Security API in Java EE 8 provides a consistent approach to Security. The SecurityContext
abstraction spans the Servlet and EJB containers and provides methods that return the user principal.
In Java EE 5/6/7 the servlet and EJB containers implement security context objects inconsistently. For example, the servlet container provides an HttpServletRequest
instance on which the getUserPrincipal()
method is called to obtain the user Principal
, and the EJB container provides the differently named EJBContext
instance, on which the same named method is called. And likewise, to test if the user belongs to a certain role the method isUserRole()
is called on the HttpServletRequest
instance and the isCallerInRole()
is called on the EJBContext
instance.
The SecurityContext
provides consistency across the Servlet and EJB container for obtaining this kind of information.
精彩评论