3

I have a simple EE5 application with a web client and and an ejb module running glassfish 2. The security annotations in the ejbs on methods are getting ignored, but not those on class level.

For example I have following bean:

 @Stateful(mappedName = "ejb/PurchaseOrderDao")
 @DeclareRoles("employees")
 @RolesAllowed(value = { "employees" })
 public class PurchaseOrderDao implements PurchaseOrderDaoLocal {

   @Resource
   private EJBContext ejbContext;

   @DenyAll
   public final void add(final PurchaseOrder instance) {
     log.debug("Is User in Role employees: {}", ejbContext.isCallerInRole("employees"));
     delegate.add(instance);
   }

   [...]
}

Every user can call this method. The debug statement returns the correct value.

The security constraints on web resources in the webclient defined in the web.xml are working as expected but not those defined in the annotations on mwthods.

In my application.xml I am defining the realm and the roles. I am mapping them in the sun-application.xml.

What can be the cause? Is it a known issue of glassfish v2? It works correctly in glassfish v3.

Other resources:

sun-ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
    <enterprise-beans>
    </enterprise-beans>
</sun-ejb-jar>

ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
version="3.0">
    <display-name>ejb</display-name>
</ejb-jar>

application.xml

<?xml version="1.0" encoding="UTF-8"?>
<application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:application="http://java.sun.com/xml/ns/javaee/application_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd"
    id="ocea" version="5">
    <display-name>ocea</display-name>
    <module>
        <ejb>ejb.jar</ejb>
    </module>
    <module>
        <web>
            <web-uri>web.war</web-uri>
            <context-root>ocea</context-root>
        </web>
    </module>

    <security-role>
        <description>Employees</description>
        <role-name>employees</role-name>
    </security-role>
    <security-role>
        <description>Suppliers</description>
        <role-name>suppliers</role-name>
    </security-role>
    <library-directory>/lib</library-directory>
</application>

sun-application.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Java EE Application 5.0//EN' 'http://www.sun.com/software/appserver/dtds/sun-application_5_0-0.dtd'>
<sun-application>
    <security-role-mapping>
        <role-name>employees</role-name>
        <group-name>employees</group-name>
    </security-role-mapping>

    <security-role-mapping>
        <role-name>suppliers</role-name>
        <group-name>suppliers</group-name>
    </security-role-mapping>

</sun-application>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>web</display-name>
  <!-- [...] -->
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login</form-login-page>
      <form-error-page>/loginfailed</form-error-page>
    </form-login-config>
  </login-config>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>PublicContent</web-resource-name>
      <description>Publically available Content needs no authorization.</description>
      <url-pattern>/static/*</url-pattern>
      <url-pattern>/logout</url-pattern>
      <url-pattern>/loggedout</url-pattern>
      <url-pattern>/decorator</url-pattern>
    </web-resource-collection>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Requests</web-resource-name>
      <description>accessible by employees</description>
      <url-pattern>/requestadd</url-pattern>
      <url-pattern>/requestaddreal</url-pattern>
      <url-pattern>/orderadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>employees</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Bids</web-resource-name>
      <description>accessible by suppliers</description>
      <url-pattern>/bidadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Webapplication</web-resource-name>
      <description>accessible by authorized users</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>For Employees and Suppliers</description>
      <role-name>employees</role-name>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- [...] -->
  <ejb-local-ref>
    <ejb-ref-name>ejb/Dao</ejb-ref-name>
    <local>ejb.dao.DaoLocal</local>
  </ejb-local-ref>
  <!-- [... other ejb-local-ref ...] -->
</web-app>
Christian
  • 3,503
  • 1
  • 26
  • 47
  • You're saying that annotations on class level were _not_ ignored yet you also say that "Every user can call this method". If the annotation on class level worked correctly, and the one on `add` doesn't, only "employees" (not _every_ user) should be allowed to call `add`? – Marcel Stör Jan 09 '13 at 20:37
  • In this example this is right. But I got another example where I don't define RolesAllowed on the class level, but on the method level, and then really every user is allowed. – Christian Jan 10 '13 at 07:01

1 Answers1

2

Have you seen this page: Howto secure webservices on GlassFish 2?

You should also add items in sun-ejb-jar.xml for your EJBs for authentication requirement. You've done it also?

Community
  • 1
  • 1
Vahid Farahmand
  • 2,528
  • 2
  • 14
  • 20
  • I've seen this page, but my question is not regarding webservices. My sun-ejb-jar.xml contains nothing despite of . But shouldn't work the method annotations without entries in the xml? And if not, what should I write into the xml? – Christian Jan 08 '13 at 11:35
  • Have you managed to solve it? Are you sure you've checked everything like employee roles, sun-ejb-jar.xml etc. No simple error like a missed tag, missed comma, etc. right? – Vahid Farahmand Jan 14 '13 at 12:45
  • Have you followed guides here? http://www.oracle.com/technetwork/articles/javaee/security-annotation-142276.html – Vahid Farahmand Jan 14 '13 at 12:55
  • Yes I did follow these guidelines. I am 100% sure I have no typos. The security constraints do work on glassfish 3. You mentioned sun-ejb-jar.xml. What should be in there? – Christian Jan 15 '13 at 09:10
  • May I see some more parts of your work, like sun-ejb-jar.xml file and related files to protection/passwords of annotations? – Vahid Farahmand Jan 15 '13 at 10:26
  • I've added the configuration files. Please have a look on them. Thanks in advance. – Christian Jan 15 '13 at 12:50