Tuesday, December 4, 2007

Secure EJB with stand alone client on Glassfish (part 1)

Tuesday, December 04, 2007 Posted by Andre Broers , 6 comments
Security is hot these days, so let's start with a sample to implement it in the EJB session beans.

First thing to do is create three users in Glassfish:

asadmin create-file-user --groups myusergrp myuser1

asadmin create-file-user --groups myusergrp myuser2

asadmin create-file-user myadmin

We now created two users that have the group myusergrp and a myadmin user with no group.

After this we can create the secure bean:

/home/broersa/work/HelloApp/HelloSecurity/src/com/bekijkhet/Hello.java

[sourcecode language="java"]

package com.bekijkhet;
public interface Hello {
public String sayHellosuperuser();
public String sayHellousersuperuser();
public String sayHellouser();
public String sayHelloPermitAll();
public String sayHelloDenyAll();
}

[/sourcecode]
/home/broersa/work/HelloApp/HelloSecurity/src/com/bekijkhet/HelloBean.java
[sourcecode language="java"]

package com.bekijkhet;
import javax.ejb.Stateless;
import javax.ejb.Remote;
import javax.annotation.security.RolesAllowed;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
@Stateless
@Remote(Hello.class)
public class HelloBean implements Hello {
@RolesAllowed("superuser")
public String sayHellosuperuser() {
return "sayHellosuperuser";
}
@RolesAllowed({"user","superuser"})
public String sayHellousersuperuser() {
return "sayHellousersuperuser";
}
@RolesAllowed("user")
public String sayHellouser() {
return "sayHellouser";
}
@PermitAll
public String sayHelloPermitAll() {
return "sayHelloPermitAll";
}
@DenyAll
public String sayHelloDenyAll() {
return "sayHelloDenyAll";
}
}

[/sourcecode]
Next we create the mapping wherein we map the application roles to the applicationserver users and groups./home/broersa/work/HelloApp/HelloSecurity/META-INF/sun-ejb-jar.xml
[sourcecode language="XML"]





user
myusergrp


superuser
myadmin

[/sourcecode]
and the buil.xml file/home/broersa/work/HelloApp/HelloSecurity/build.xml
[sourcecode language="java"]



simple example build file













description="compile the source " >




description="generate the distribution" >












description="clean up" >




[/sourcecode]
build the ejb with:asant distdeploy:asadmin deploy dist/HelloSecurity.jar

Now we must create the client:

/home/broersa/work/HelloApp/HelloClient/src/com/bekijkhet/helloclient/HelloClient.java

[sourcecode language="java"]

package com.bekijkhet.helloclient;
import javax.naming.*;
import com.bekijkhet.Hello;
import com.sun.appserv.security.ProgrammaticLogin;
public class HelloClient {
public static void main(String[] args) {
try {
ProgrammaticLogin login = new ProgrammaticLogin();
login.login(args[0],args[1]);

System.out.println("1");

InitialContext ctx = new InitialContext();

System.out.println("2");

Hello n = (Hello)ctx.lookup("com.bekijkhet.Hello");

System.out.println("3");

try {
System.out.print("sayHellosuperuser: ");
System.out.println(n.sayHellosuperuser());
} catch (javax.ejb.EJBException t) { System.out.println("No Permission"); }
try {
System.out.print("sayHellousersuperuser: ");
System.out.println(n.sayHellousersuperuser());
} catch (javax.ejb.EJBException t) { System.out.println("No Permission"); }
try {
System.out.print("sayHellouser: ");
System.out.println(n.sayHellouser());
} catch (javax.ejb.EJBException t) { System.out.println("No Permission"); }
try {
System.out.print("sayHelloPermitAll: ");
System.out.println(n.sayHelloPermitAll());
} catch (javax.ejb.EJBException t) { System.out.println("No Permission"); }
try {
System.out.print("sayHelloDenyAll: ");
System.out.println(n.sayHelloDenyAll());
} catch (javax.ejb.EJBException t) { System.out.println("No Permission"); }
}
catch (Exception x) {
System.out.println("Invalid Username Password");
}
}
}

[/sourcecode]
Compile the code:javac -cp $GLASSFISH_HOME/lib/appserv-rt.jar:$GLASSFISH_HOME/lib/appserv-admin.jar:$GLASSFISH_HOME/lib/javaee.jar:$HOME/work/HelloApp/HelloSecurity/dist/HelloSecurity.jar:. -d . HelloClient.java

Run the code with different users:

as myadmin which is in the superuser role:

java -cp $GLASSFISH_HOME/lib/appserv-rt.jar:$GLASSFISH_HOME/lib/appserv-admin.jar:$GLASSFISH_HOME/lib/javaee.jar:$HOME/work/HelloApp/HelloSecurity/dist/HelloSecurity.jar:. -Djava.security.auth.login.config=$GLASSFISH_HOME/lib/appclient/appclientlogin.conf com.bekijkhet.helloclient.HelloClient myadmin myadmin

1
2
3
sayHellosuperuser: sayHellosuperuser
sayHellousersuperuser: sayHellousersuperuser
sayHellouser: No Permission
sayHelloPermitAll: sayHelloPermitAll
sayHelloDenyAll: No Permission

as myuser1 which is in the myusergrp which has the user role:

java -cp $GLASSFISH_HOME/lib/appserv-rt.jar:$GLASSFISH_HOME/lib/appserv-admin.jar:$GLASSFISH_HOME/lib/javaee.jar:$HOME/work/HelloApp/HelloSecurity/dist/HelloSecurity.jar:. -Djava.security.auth.login.config=$GLASSFISH_HOME/lib/appclient/appclientlogin.conf com.bekijkhet.helloclient.HelloClient myuser1 myuser1

1
2
3
sayHellosuperuser: No Permission
sayHellousersuperuser: sayHellousersuperuser
sayHellouser: sayHellouser
sayHelloPermitAll: sayHelloPermitAll
sayHelloDenyAll: No Permission

as myuser2 which is also in the myusergrp which has the user role:

java -cp $GLASSFISH_HOME/lib/appserv-rt.jar:$GLASSFISH_HOME/lib/appserv-admin.jar:$GLASSFISH_HOME/lib/javaee.jar:$HOME/work/HelloApp/HelloSecurity/dist/HelloSecurity.jar:. -Djava.security.auth.login.config=$GLASSFISH_HOME/lib/appclient/appclientlogin.conf com.bekijkhet.helloclient.HelloClient myuser2 myuser2

1
2
3
sayHellosuperuser: No Permission
sayHellousersuperuser: sayHellousersuperuser
sayHellouser: sayHellouser
sayHelloPermitAll: sayHelloPermitAll
sayHelloDenyAll: No Permission

When you call the client with an invalid username password combination you get an exception on the call to the Lookup of the bean. This is catched in the last catch in the client main method:

java -cp $GLASSFISH_HOME/lib/appserv-rt.jar:$GLASSFISH_HOME/lib/appserv-admin.jar:$GLASSFISH_HOME/lib/javaee.jar:$HOME/work/HelloApp/HelloSecurity/dist/HelloSecurity.jar:. -Djava.security.auth.login.config=$GLASSFISH_HOME/lib/appclient/appclientlogin.conf com.bekijkhet.helloclient.HelloClient myuser1 myuser

1
2
Invalid Username Password

6 comments:

  1. What is this -> build the ejb with:asant distdeploy:asadmin deploy dist/HelloSecurity.jar

    When I run that command I get the following. "Target `distdeploy:asadmin' does not exist in this project."

    How do I build the ejb? Thanks!

    ReplyDelete
  2. Oggie:
    you run:
    asant dist
    and
    asadmin deploy dist/HelloSecurity.jar

    Somehow wordpress (or i) won't do the cr/lf in a correct way.. Sorry..

    ReplyDelete