RE: HELP: Security !!! How to do it.

Peter Delahunty Fri, 10 Nov 2000 03:53:37 -0800
Another thing to add

in the ATM example they authenicate a user usings the Servlets built in form
authentication login form
eg

<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>

this i presume creates princepal that is passed to the EJB layer to be
checked. So my question is how the hell do i do the same thing from a Java
Application.


-----Original Message-----
From: Peter Delahunty [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 10, 2000 10:07 AM
To: Orion-Interest
Subject: HELP: Security !!! How to do it.



Hi guys 


I don't know if anyone has done this yet but i want to connect to Orion from
a Java application using user authentication and authorisation.

I have checked the archives but there is no solid advice there.


My aim is to get a "username" and "password" from a user. Then i want to
authenticate them using orion, how ? 

Do i use RoleManager.login()    cos when i try to find it using
"java:comp/RoleManager" then orion gives me naming exception that say that
that name does not exist.


Anyway if i was to authenticate the user, i then want to test my security
settings below...


So far i have this setup:

So here is my test.

i have a Session Bean with 6 methods

methodA()
methodB()
methodC()
methodD()
methodE()
methodF()

i have 5 roles

role1
role2
role3
role4
role5

these are the permissions 

role1   access ALL methods
role2           access ABC
role3           access DEF
role4           access ADE
role5           NO ACCESS

then orion stuff

i have 5 groups

group1  mapped to role  role1
group2  mapped to role  role2
group3  mapped to role  role3
group4  mapped to role  role4
group5  mapped to role  role5

i have 5 users

user1    in group1      role1
user2    in group2      role2
user3    in group3      role3
user4    in group4      role4
user5    in group5      role5


for example "user1" is linked to "role1" and "role1" can access all methods.
However if i connect to orion with the following JNDI configurations

java.naming.factory.initial=com.evermind.server.ApplicationClientInitialCont
extFactory
java.naming.provider.url=ormi://localhost/securityApp
java.naming.security.principal=user1
java.naming.security.credentials=user1


i can manage to sucessfully call "create()" to get back the remote interface
of my session bean. However if i call any of the bussiness methods then i
get a security exception like below...

" Error: user1 is not allowed to call this EJB method, check your security
settings (method-permission
-application.xml)."





so what i am i doing wrong !!!!!!!


here are my config files.


APPLICATION.XML

<snip>
        <module>
                <ejb>ejb</ejb>
        </module>
 
        <security-role>
                <role-name>role1</role-name>
        </security-role>
        <security-role>
                <role-name>role2</role-name>
        </security-role>
        <security-role>
                <role-name>role3</role-name>
        </security-role>
        <security-role>
                <role-name>role4</role-name>
        </security-role>
        <security-role>
                <role-name>role5</role-name>
        </security-role>
</snip>


PRINCIPALS.XML

<principals>
        <groups>

                <group name="group1">
                        <description>users</description>
                        <permission name="rmi:login" />
                        <permission
name="com.evermind.server.rmi.RMIPermission" />
                </group>

                <group name="group2">
                        <description>users</description>
                        <permission name="rmi:login" />
                        <permission
name="com.evermind.server.rmi.RMIPermission" />
                </group>

                <group name="group3">
                        <description>users</description>
                        <permission name="rmi:login" />
                        <permission
name="com.evermind.server.rmi.RMIPermission" />
                </group>

                <group name="group4">
                        <description>users</description>
                        <permission name="rmi:login" />
                        <permission
name="com.evermind.server.rmi.RMIPermission" />
                </group>


                <group name="group5">
                        <description>users</description>
                        <permission name="rmi:login" />
                        <permission
name="com.evermind.server.rmi.RMIPermission" />
                </group>


        </groups>
        <users>
                <user username="user1"
                      password="user1"
                      >
                        <group-membership group="group1" />
                </user>

                <user username="user2"
                      password="user2"
                      >
                        <group-membership group="group2" />
                </user>

                <user username="user3"
                      password="user3"
                      >
                        <group-membership group="group3" />
                </user>

                <user username="user4"
                      password="user4"
                      >
                        <group-membership group="group4" />
                </user>

                <user username="user5"
                      password="user5"
                      >
                        <group-membership group="group5" />
                </user>

        </users>

</principals>



ORION-APPLICATION.XML

<snip>
        <security-role-mapping name="role1">
                <group name="group1" />
        </security-role-mapping>
        <security-role-mapping name="role2">
                <group name="group2" />
        </security-role-mapping>
        <security-role-mapping name="role3">
                <group name="group3" />
        </security-role-mapping>
        <security-role-mapping name="role4">
                <group name="group4" />
        </security-role-mapping>
        <security-role-mapping name="role5">
                <group name="group5" />
        </security-role-mapping>
        <persistence path="persistence" />
        <principals path="principals.xml" />
        <log>
                <file path="application.log" />
        </log>
        <namespace-access>
                <read-access>
                <namespace-resource root="">
                        <security-role-mapping
name="&lt;jndi-user-role&gt;">
                                <group name="administrators" />
                                <group name="group1" />
                                <group name="group2" />
                                <group name="group3" />
                                <group name="group4" />
                                <group name="group5" />
                        </security-role-mapping>
                </namespace-resource>
                </read-access>
                <write-access>
                <namespace-resource root="">
                        <security-role-mapping
name="&lt;jndi-user-role&gt;">
                                <group name="administrators" />
                                <group name="group1" />
                                <group name="group2" />
                                <group name="group3" />
                                <group name="group4" />
                                <group name="group5" />
                        </security-role-mapping>
                </namespace-resource>
                </write-access>
        </namespace-access>

</snip>


ORION-EJB-JAR.XML


<orion-ejb-jar deployment-version="1.4.4" deployment-time="e2bdf70944">
        <enterprise-beans>
                <session-deployment name="ejb/securitySession"
location="ejb/securitySession"
wrapper="SecuritySessionHome_StatelessSessionHomeWrapper1" timeout="1800"
persistence-filename="ejb/securitySession" />
        </enterprise-beans>
        <assembly-descriptor>
                <security-role-mapping name="role1">
                        <group name="group1" />
                </security-role-mapping>
                <security-role-mapping name="role2">
                        <group name="group2" />
                </security-role-mapping>
                <security-role-mapping name="role3">
                        <group name="group3" />
                </security-role-mapping>
                <security-role-mapping name="role4">
                        <group name="group4" />
                </security-role-mapping>
                <security-role-mapping name="role5">
                        <group name="group5" />
                </security-role-mapping>
                <default-method-access>
                        <security-role-mapping
name="&lt;default-ejb-caller-role&gt;" impliesAll="true" />
                </default-method-access>
        </assembly-descriptor>
</orion-ejb-jar>


EJB-JAR.XML

  <assembly-descriptor>
    <security-role>
      <description>role 1</description>
      <role-name>role1</role-name>
    </security-role>

    <security-role>
      <description>role 2</description>
      <role-name>role2</role-name>
    </security-role>

    <security-role>
      <description>role 3</description>
      <role-name>role3</role-name>
    </security-role>

    <security-role>
      <description>role 4</description>
      <role-name>role4</role-name>
    </security-role>

    <security-role>
      <description>role 5</description>
      <role-name>role5</role-name>
    </security-role>


    <method-permission>
      <description>peter</description>
      <role-name>role1</role-name>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>*</method-name>
      </method>
    </method-permission>

    <method-permission>
      <description>Restricted</description>
      <role-name>role2</role-name>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodA</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodB</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodC</method-name>
      </method>
    </method-permission>

    <method-permission>
      <description>Restricted</description>
      <role-name>role3</role-name>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodD</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodE</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodF</method-name>
      </method>
    </method-permission>

    <method-permission>
      <description>Restricted</description>
      <role-name>role4</role-name>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodA</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodD</method-name>
      </method>
      <method>
        <ejb-name>ejb/securitySession</ejb-name>
        <method-name>methodE</method-name>
      </method>
    </method-permission>


  </assembly-descriptor>




REMOTE INTERFACE



  public void methodA(String name)throws RemoteException;

  public String methodB(String name)throws RemoteException;

  public void methodC(String name,int age)throws RemoteException;

  public void methodD()throws RemoteException;

  public int methodE(int age)throws RemoteException;

  public String methodF()throws RemoteException;




HOME INTERFACE


  public SecuritySession create()throws RemoteException,CreateException;


THANKS !!!
RE: HELP: Security !!! How to do it.

Reply via email to
