Can Acegi secure web service calls to ejbs using jboss 4?

[dnordin]

Hi,

I am trying to determine the best way to implement a decarative security methodology. I run jboss 4 and have stateless session beans (ejbs) accessed by soap web service clients.

1. I would like to be able to restrict certain web service methods to certain users/ groups declaratively.

2. I notice that the ThreadLocal based secure context used by acegi depends on the invoker's intercepted thread name being constant throughout a secure (http) session.

3. To try to extend this concept from the usual acegi servlet/web client to a web service or rmi client, I have built an aop interceptor for my ejb that receives my web service calls. I printed out the thread names of my ejb and the interceptor and found out that the interceptor runs under a different thread than the ejb. Does this mean acegi cannot be used in this scenerio?

4. Do you have any suggestions for a solution I might try?

Thanks,

Dave

[Luke Taylor]

3. To try to extend this concept from the usual acegi servlet/web client to a web service or rmi client, I have built an aop interceptor for my ejb that receives my web service calls. I printed out the thread names of my ejb and the interceptor and found out that the interceptor runs under a different thread than the ejb. Does this mean acegi cannot be used in this scenerio?

I'm not familiar with JBoss AOP (or JBoss 4) but it seems very unlikely that a single invocation would use different threads for an EJB interceptor and its target EJB. Are you sure this is the case?

[dnordin]

My problem is that if I log in and then call a (getVersion()) method, the thread servicing the login in the ejb and interceptor is different that that of the subsequent getVersion() call even though the calls are made by the same client one right after another.

To me this would make it appear impossible to use the ThreadLocal methodolgy employed by acegi.

-------------------------------------------------------------------------------------

From my web service client:

-------------------------------------------------------------------------------------


public void testWebServiceAccess() throws Exception
{
AOPTestEndpoint endpoint = (AOPTestEndpoint)service.getPort(AOPTestEndpoint.c lass);
endpoint.logIn("Dave", "dmn");
String version = endpoint.getVersion();
System.out.println("Version = " + version);
}


-------------------------------------------------------------------------------------

From my Stateless Session Bean (EJB):

My web service client calls logIn() then getVersion()... In the logs below you can see that logIn uses a different thread than getVersion

-------------------------------------------------------------------------------------

public void logIn(String userName, String passWord) throws RemoteException
{
try {
String methodName = " logIn()";
System.out.println(this.getClass().getName() + methodName);
System.out.println("; Current Thread: " + Thread.currentThread().toString() + "; Name: " + Thread.currentThread().getName());
}
catch (Exception e) {
e.printStackTrace();
throw new RemoteException();
};
}

public String getVersion() throws RemoteException
{
try {
String methodName = " getVersion()";
System.out.println(this.getClass().getName() + methodName);
System.out.println("; Current Thread: " + Thread.currentThread().toString() + "; Name: " + Thread.currentThread().getName());
return this.version;
}
catch (Exception e) {
e.printStackTrace();
throw new RemoteException();
}
}

-------------------------------------------------------------------------------------

From my AOP Interceptor:

-------------------------------------------------------------------------------------

package com.ihs.aoptest.aop;

import org.jboss.aop.joinpoint.Invocation;

public class SecurityInterceptor implements org.jboss.aop.advice.Interceptor {

public Object invoke(Invocation invocation) throws Throwable
{
try {
String methodName = " invoke()";
System.out.println(this.getClass().getName() + methodName);
System.out.println("; Current Thread: " + Thread.currentThread().toString() + "; Name: " + Thread.currentThread().getName());
return invocation.invokeNext();
}
finally
{
}
}

public String getName() {return this.toString();}

}


-------------------------------------------------------------------------------------

From the JBOSS LOG at runtime (Note the thread names for logIn() and getVersion()):

-------------------------------------------------------------------------------------

2005-04-28 08:44:27,183 DEBUG [org.jboss.webservice.handler.HandlerChainBaseImpl] Handle request: [state=METHOD_READY,handler=com.ihs.aoptest.handler .PortComponentHandler@1b34d17]
2005-04-28 08:44:27,183 INFO [com.ihs.aoptest.handler.PortComponentHandler] handleRequest: org.apache.axis.MessageContext@a334c1
2005-04-28 08:44:27,183 DEBUG [org.jboss.webservice.handler.HandlerChainBaseImpl] Exit: doHandleRequest with status: true
2005-04-28 08:44:27,339 INFO [STDOUT] com.ihs.aoptest.aop.SecurityInterceptor invoke()
2005-04-28 08:44:27,339 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor24,5,jboss]; Name: http-0.0.0.0-8080-Processor24
2005-04-28 08:44:27,339 DEBUG [com.ihs.aoptest.impl.AOPTestBean] setSessionContext
2005-04-28 08:44:27,339 INFO [STDOUT] com.ihs.aoptest.aop.SecurityInterceptor invoke()
2005-04-28 08:44:27,354 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor24,5,jboss]; Name: http-0.0.0.0-8080-Processor24
2005-04-28 08:44:27,354 INFO [STDOUT] com.ihs.aoptest.impl.AOPTestBean@13e6657ejbCreate( ) running...
2005-04-28 08:44:27,354 DEBUG [com.ihs.aoptest.impl.AOPTestBean] ejbCreate
2005-04-28 08:44:27,354 INFO [STDOUT] com.ihs.aoptest.aop.SecurityInterceptor invoke()
2005-04-28 08:44:27,354 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor24,5,jboss]; Name: http-0.0.0.0-8080-Processor24
2005-04-28 08:44:27,354 INFO [STDOUT] com.ihs.aoptest.impl.AOPTestBean logIn()
2005-04-28 08:44:27,354 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor24,5,jboss]; Name: http-0.0.0.0-8080-Processor24
2005-04-28 08:44:27,714 INFO [STDOUT] com.ihs.aoptest.aop.SecurityInterceptor invoke()
2005-04-28 08:44:27,714 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor23,5,jboss]; Name: http-0.0.0.0-8080-Processor23
2005-04-28 08:44:27,714 INFO [STDOUT] com.ihs.aoptest.impl.AOPTestBean getVersion()
2005-04-28 08:44:27,714 INFO [STDOUT] ; Current Thread: Thread[http-0.0.0.0-8080-Processor23,5,jboss]; Name: http-0.0.0.0-8080-Processor23
2005-04-28 08:44:27,714 DEBUG

-------------------------------------------------------------------------------------