开发者

Controlling the security Principle passed on a EJB call

开发者 https://www.devze.com 2022-12-24 07:56 出处:网络
I am working on a large existing EJB 1.1 application that current does its own sercurity and has no EJB managed security.

I am working on a large existing EJB 1.1 application that current does its own sercurity and has no EJB managed security.

I am trying to move to a more standard solution in small steps, and so I want to start controlling the security Principle being passed to the EJB. I am not going to be able to change the current login or security framework, so I don't belive I can move to JAAS at the present time.

Once I have created a java.security.Principle where do I store it so it 开发者_如何学Gois passed in my ejb calles and avalable from context.getCallerPrincipal()?

Thanks.


Java EE security is a bit a all-or-nothing thing. You are supposed to use Java EE authentication mechanism to have the security context correctly set. As you can see, the EJBContext that you can obtain through injection is read-only.

The only standard way I'm aware of to change the security context, is using things like @RunAs (See an example), but it's very inflexible. You can not pass credential dynamically.

There are some non-portable container-specific mechanism, for instance Glassfish has ProgrammaticLogin. But even in this case, you need to pass the username/password, you can not just change the Principal on the fly.

I remember reading articles where they explained how to set the security context manually using internal API of the container, but it's of course non-portable and not supported.


The new Security API in Java EE 8 provides a consistent approach to Security. The SecurityContext abstraction spans the Servlet and EJB containers and provides methods that return the user principal.

In Java EE 5/6/7 the servlet and EJB containers implement security context objects inconsistently. For example, the servlet container provides an HttpServletRequest instance on which the getUserPrincipal() method is called to obtain the user Principal, and the EJB container provides the differently named EJBContext instance, on which the same named method is called. And likewise, to test if the user belongs to a certain role the method isUserRole() is called on the HttpServletRequest instance and the isCallerInRole() is called on the EJBContext instance.

The SecurityContext provides consistency across the Servlet and EJB container for obtaining this kind of information.

0

精彩评论

暂无评论...
验证码 换一张
取 消