Authentication of a remote EJB client

[Andreas Senft]

I'm just starting with Acegi security and encountered a problem.

My scenario is the following:

I have a spring based application in an application server providing a facade of stateless session beans. I would like to access the provided services both via a web interface (spring MVC) and via remote EJB calls.

I already managed to set up a little application. Now I would like to add some security features with Acegi Security.
My first step has been to wrap my service bean with a MethodSecurityInterceptor. Now accessing that method causes an exception (AuthenticationCredentialsNotFoundException), which is ok since I did not perform any authentication steps.
Currently the web controller does also use the remote interface, so both entry-points are secured.

Now the question is, how to perform authentication, so that I again could invoke the secured method?
I guess that RemoteAuthenticationManager and RemoteAuthenticationProvider have to be used, but I'm not sure how. I also have not found an example using EJB remoting.

Some questions:
- Do I have to provide an EJB remote interface for RemoteAuthenticationManager?
- How do I use RemoteAuthenticationProvider on the client side?
- Do I need container adapters for authentication from my web interface?

Maybe someone could provide hints to a solution.

Regards,
Andreas

[Ben Alex]

Which EJB container are you using? Are the EJBs colocated with the web tier? Are the EJBs accessed solely from a web tier or also a rich client? Are you trying to use EJB declarative security, or just MethodSecurityInterceptor around a services bean that wraps the EJBs?

[Andreas Senft]

Hello Ben,

- I am using JBoss 4.0.1SP1

- There is one server hosting both the EJBs and the web tier

- I plan to access the EJBs both from the web-tier and from a rich client

- Currently I am not using EJB declarative security since I thought I could get it done with Acegi Security alone. I am trying to keep things simple. At the moment I just use a MethodSecurityInterceptor wrapping my POJO (which is accessed by a facade EJB (stateless session bean).

The serverside setup seems to be ok so far. But I'm a little lost concerning the client side setup. Especially concerning the rich client.

Regards,
Andreas

[Andreas Senft]

An update:

I created an EJB-Facade of RemoteAuthenticationManager which I made available via spring. The client uses RemoteAuthenticationProvider.
So far the authentication seems to work. When providing the right credentials, I can see, that the associated role will be available in the returned Authentication.

Still I am not quite sure how to proceed. Somehow I have to get the Authentication back to the server (into the SecureContext). I think it would not be a good idea to transmit the Authentication as argument of each server call, wouldn't it?

Regards,
Andreas

[Ben Alex]

Which protocol are you using for your rich client? Have you considered using ContextPropagatingRemoteInvocation?

[Andreas Senft]

I try to access EJB facades so the protocol usually is RMI.

Since I'm quite new to Acegi security I am not (yet) aware of all possibilities. So I must confess that I have not noticed ContextPropagatingRemoteInvocation yet. From the javadoc it seems to me dedicated to plain RMI communication (anyway, good to know that it is there if I need it).

I think the main problem with EJBs is, that one cannot intercept their invocation to transparently pass context information (please correct me if this is not true). So one is bound to pass an explicit context parameter. This, as I understand, has to contain an Authentication instance which has to be placed in the SecureContext of the server. Would you agree to this procedure, or am I missing something here?

Regards,
Andreas

[Luke Taylor]

Hi,

You seem to have a lot of stuff going on at once in there so it's hard to see where the problem is.

You say you have a web front end - is this working OK? If a secure context is set up in the invoking thread on the server, then it should be available in MethodSecurityInterceptor.

For the standalone client, if you're calling the EJB remotely, then the client would normally use JAAS and the JBoss ClientLoginModule to establish any security information. However, the way this is passed to the server is JBoss-specific and Acegi doesn't have the capability to intercept this (at least I don't think it does).

In JBoss 3 you would probably have to install a separate EJB interceptor in JBoss which would perform the authentication against Acegi and set up the secure context. I'm not familiar with how the EJB container is implemented in JBoss 4, however, with its AOP support.

[Andreas Senft]

You say you have a web front end - is this working OK? If a secure context is set up in the invoking thread on the server, then it should be available in MethodSecurityInterceptor.

Yes I managed to set up security for the web frontend. Just simple role based for now, but I think I have understood the basics so far.

For the standalone client, if you're calling the EJB remotely, then the client would normally use JAAS and the JBoss ClientLoginModule to establish any security information. However, the way this is passed to the server is JBoss-specific and Acegi doesn't have the capability to intercept this (at least I don't think it does).

I fear using container specific stuff will indeed be the only option. I will keep that in mind.

Anyway, thank you for your input. It has been really helpful.
Andreas

[JSRamos]

I fear using container specific stuff will indeed be the only option. I will keep that in mind.

Hi, Andreas.

I hope you can help out with the following issue: I have a legacy EJB protected with declarative security. I am now trying to access it via Spring with a SLSBProxy. I get a RemoteAccessException, obviously, as I know my call to the proxy is not being authenticated.

How should I invoke services on this proxy if the SLSB is protected with declarative security?

I have posted this about three times in different forums for the sake of good semantics. Any piece of information you can provide on how to do this will be greatly appreciated.

Best regards.

J.

[Andreas Senft]

Does the access work without the proxy? If yes, you might open a Jira issue concerning this. If not, the problem seems to be a missing authentication.

As far as I know, authentication is more or less container specific, so maybe the documentation of your application container can provide you with additional information about authentication and authorization issues.

I'm sorry for not being able to provide more details on this.

Regards,
Andreas