About Question enthuware.ocejws.v6.2.226 :
Moderators: Site Manager, fjwalraven
-
- Posts: 18
- Joined: Wed Jan 20, 2016 7:16 pm
- Contact:
About Question enthuware.ocejws.v6.2.226 :
Hi,
Sorry but I don't understand this requirement: "Define the root resource class as an Singleton EJB." I am researching this issue but cannot find an answer on what Singleton EJB has to do with role based JAX-RS authentication? I understand other requirements but have a gap in knowledge regarding EJB connection with respect to JAX-RS. Could you kindly explain a bit?
Thanks,
Victor.
Sorry but I don't understand this requirement: "Define the root resource class as an Singleton EJB." I am researching this issue but cannot find an answer on what Singleton EJB has to do with role based JAX-RS authentication? I understand other requirements but have a gap in knowledge regarding EJB connection with respect to JAX-RS. Could you kindly explain a bit?
Thanks,
Victor.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
You definitely should read and study (a bit) about EJBs and Java EE-security. The EE6-tutorial is a good starting point: http://docs.oracle.com/javaee/6/tutorial/doc/
Regards,
Frits
Regards,
Frits
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
When you define an EJB as a JAX-RS root resource class you can use the EE6 security features an EE6 server provides you (like method based access control).
Nice EE6-security overview: http://docs.oracle.com/javaee/6/tutorial/doc/bnbwk.html
Nice EE6-security overview: http://docs.oracle.com/javaee/6/tutorial/doc/bnbwk.html
-
- Posts: 18
- Joined: Wed Jan 20, 2016 7:16 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Hi,fjwalraven wrote:When you define an EJB as a JAX-RS root resource class you can use the EE6 security features an EE6 server provides you (like method based access control).
Nice EE6-security overview: http://docs.oracle.com/javaee/6/tutorial/doc/bnbwk.html
Thank you for these resources. I also found discussion on this question (duplicate?) here: viewtopic.php?f=40&t=2535 which is also quite helpful.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
That is indeed a similar question (not a duplicate).
Regards,
Frits
Regards,
Frits
-
- Posts: 27
- Joined: Tue Nov 15, 2016 11:20 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?fjwalraven wrote:That is indeed a similar question (not a duplicate).
Regards,
Frits
Otherwise, if it can be achieved without EJB then following option will be correct:
Add a security constraint in the web deployment descriptor to restrict certain URL's.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Yes, you are right!Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?
Regards,
Frits
-
- Posts: 27
- Joined: Tue Nov 15, 2016 11:20 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
The first option is "Add a security constraint in the web deployment descriptor to restrict certain URL's. The explantaion says that this is not needed but am I right in thinking that it CAN ALSO be used using the following config? We would, however, still need to map the users to the roles in a xxx-web.xml file.fjwalraven wrote:Yes, you are right!Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?
Regards,
Frits
Code: Select all
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/security/protected/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Security roles used by this web application -->
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>employee</role-name>
</security-role>
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Yes, you can do that however you can't restrict a single method of a specific RESTful class and that is what is required by the problem statement:
Frits
Regards,We want to use role based security on a method of a RESTful Web Service.
Frits
-
- Posts: 27
- Joined: Tue Nov 15, 2016 11:20 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Thanks Frits.fjwalraven wrote:Yes, you can do that however you can't restrict a single method of a specific RESTful class and that is what is required by the problem statement:Regards,We want to use role based security on a method of a RESTful Web Service.
Frits
Its a tricky one. I missed the clue "a method" and even with this clue and the understanding that every methd can have its own URL makes me feel that the first option is also correct. So for example, we can restrict a method by restricting it's URL which is equivalent to the statement "role based security on a method". However, in this manner we can also restrict many URLs at once but it really depends on the expression we use in the web.xml and this expression is not given in the answer so we are open to guessing what the examiner may be thinking?
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Be careful here: it is not equivalent.So for example, we can restrict a method by restricting it's URL which is equivalent to the statement "role based security on a method"
Check this example:
Code: Select all
@Path("convert")
public class RunningConverter extends MyJAXRS_Classes {
@GET
@Produces("text/plain")
public String getPlainTextResultTimeInSeconds(@QueryParam("me") double metres,
@QueryParam("km") double kmPerHour) {
// implementation
}
@GET
@Produces("text/html")
public String getHTMLResultTimeInSeconds(@QueryParam("me") double metres,
@QueryParam("km") double kmPerHour) {
// implementation
}
}
Regards,
Frits
-
- Posts: 27
- Joined: Tue Nov 15, 2016 11:20 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
that is interesting example. Thanks for the explanation.
-
- Posts: 16
- Joined: Sat Jun 09, 2018 12:09 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
hello, I tried to make simple example about this question, but I cannot make it works withoud security-constraint. I Have a resource class with @Stateless annotation and method with @RolesAllowed("witek") but without security-constraint I get javax.ejb.AccessLocalException: Client not authorized for this invocation.
I`m using glassfish 5 and netbeans.
Rest of the steps I made:
1. I made my own realm and user through gl console.
2. I made user to group mapping in glassfish-web.xml
3. My web.xml :
It works in this configuration, but without <security-constraint> section it doesn't work.
Could somene be so kind and explain mi why?
I`m using glassfish 5 and netbeans.
Rest of the steps I made:
1. I made my own realm and user through gl console.
2. I made user to group mapping in glassfish-web.xml
3. My web.xml :
Code: Select all
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>witek</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>realmyInny1</realm-name>
</login-config>
<security-role>
<role-name>witek</role-name>
</security-role>
Could somene be so kind and explain mi why?
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Hi!
I am not sure why you want to do it without a security constraint? Have you read the Java EE6 tutorial about security?
https://docs.oracle.com/javaee/6/tutori ... gijrp.html
Regards,
Frits
I am not sure why you want to do it without a security constraint? Have you read the Java EE6 tutorial about security?
https://docs.oracle.com/javaee/6/tutori ... gijrp.html
Regards,
Frits
-
- Posts: 16
- Joined: Sat Jun 09, 2018 12:09 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
Thank you, I read most of it. Maybe I missunderstood option: "Add a security constraint in the web deployment descriptor to restrict certain URL's." -> so I have to use security constraint but not to restrict certain URL`s.
I have two questions connected with it, maybe someone could help me with it:
1: I tryed in analogue way securing webservice - in the same application as first example I made @Stateless class with @Webservice annotation and method with @RollesAllowed annotation, but It desn`t work - I can view wsdl without user login and I can`t invoke webservice method. When I try I get :
JACC Policy Provider: Failed Permission Check, context(Naukaweb/Naukaweb_internal)- permission(("javax.security.jacc.EJBMethodPermission" "NewWebService" "hello,ServiceEndpoint,java.lang.String"))
2: Im not sure when I have to use @DeclaresRoles annotation.
I have two questions connected with it, maybe someone could help me with it:
1: I tryed in analogue way securing webservice - in the same application as first example I made @Stateless class with @Webservice annotation and method with @RollesAllowed annotation, but It desn`t work - I can view wsdl without user login and I can`t invoke webservice method. When I try I get :
JACC Policy Provider: Failed Permission Check, context(Naukaweb/Naukaweb_internal)- permission(("javax.security.jacc.EJBMethodPermission" "NewWebService" "hello,ServiceEndpoint,java.lang.String"))
2: Im not sure when I have to use @DeclaresRoles annotation.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
This means that your user doesn't have the correct role.I can view wsdl without user login and I can`t invoke webservice method
The @DeclareRoles annotation is used to declare the security role names used in the enterprise bean code. The deployment descriptor equivalent is the <security-role> element.2: Im not sure when I have to use @DeclaresRoles annotation.
You might want to go through my ejb notes (security part)
https://coderanch.com/wiki/659897/OCEEJBD-Links
Regards,
Frits
-
- Posts: 16
- Joined: Sat Jun 09, 2018 12:09 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
1. I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
2. I see, thank you.
2. I see, thank you.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
This indicates that the user is not authenticated. Try creating a simple jsp with a login page, enforce authentication, and invoke the Webservice from the Servlet that is behind the login page. You will see that the credentials are propagated from the Servlet-container to the EJB-container.I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
-
- Posts: 1
- Joined: Sat Feb 23, 2019 8:04 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.226 :
thank you for sharing information and your experience guys it was very much helpful to understand many other things rather then just understanding our issues.
I think start using rad140 is very secure and works like a charm.
Who is online
Users browsing this forum: No registered users and 10 guests