tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aptem <apt...@gmail.com>
Subject Securing EJB with webapp Realm
Date Thu, 01 May 2014 21:21:05 GMT
Hi.
I am trying to build secured application including remote EJBs and embed as
much as possible configuration into application.

I created hsqldb datasource in WEB-INF/resources.xml
<resources>
  <Resource id="myDatasource" type="DataSource">
  		JdbcUrl jdbc:hsqldb:file:data/mydb
  		...
  </Resource>
</resources>

And datasource realm in META-INF/context.xml
<Context reloadable="true" antiJARLocking="true">
	<Realm className="org.apache.catalina.realm.DataSourceRealm"
		localDataSource="true" dataSourceName="myDatasource" ... />		   
</Context>

And protected my web application in WEB-INF/web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="srm" version="3.0">
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
	<servlet>
		<servlet-name>ServerServlet</servlet-name>
	
<servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>ServerServlet</servlet-name>
		<url-pattern>/ejb/*</url-pattern>
	</servlet-mapping>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>srm</web-resource-name>
			<url-pattern>/*</url-pattern>
			<http-method>GET</http-method>
		</web-resource-collection>		
		<auth-constraint>
			<role-name>admin</role-name>
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>BASIC</auth-method>
		<realm-name>Authentication required</realm-name>
	</login-config>
	<security-role>
		<role-name>admin</role-name>
	</security-role>
</web-app>

Everything works fine for regular HTTP requests, but when trying to look up
protected EJB (annotated with @DeclareRoles, @RolesAllowed) - default Realm
from server.xml is used (I am able to call ejb with users defined in
tomcat-users.xml, but not with users defined in my database).
Properties p = new Properties();
p.put("java.naming.factory.initial",
"org.apache.openejb.client.RemoteInitialContextFactory");
p.put("java.naming.provider.url", "http://localhost:8080/srm/ejb");
p.put("java.naming.security.principal", "tomee");
p.put("java.naming.security.credentials", "tomee");
InitialContext ctx = new InitialContext(p);
SecuredBeanRemote myBean =
(SecuredBeanRemote)ctx.lookup("SecuredBeanRemote");

Am I doing something wrong with configuration?




--
View this message in context: http://openejb.979440.n4.nabble.com/Securing-EJB-with-webapp-Realm-tp4669071.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Mime
View raw message