Securing EJB with webapp Realm

aptem Thu, 01 May 2014 14:45:18 -0700

Hi.
I am trying to build secured application including remote EJBs and embed as
much as possible configuration into application.


I created hsqldb datasource in WEB-INF/resources.xml
<resources>
  <Resource id="myDatasource" type="DataSource">
                JdbcUrl jdbc:hsqldb:file:data/mydb
                ...
  </Resource>
</resources>

And datasource realm in META-INF/context.xml
<Context reloadable="true" antiJARLocking="true">
        <Realm className="org.apache.catalina.realm.DataSourceRealm"
                localDataSource="true" dataSourceName="myDatasource" ... />     
           
</Context>

And protected my web application in WEB-INF/web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://java.sun.com/xml/ns/javaee";
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; id="srm" version="3.0">
        <welcome-file-list>
                <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
        <servlet>
                <servlet-name>ServerServlet</servlet-name>
        
<servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class>
        </servlet>
        <servlet-mapping>
                <servlet-name>ServerServlet</servlet-name>
                <url-pattern>/ejb/*</url-pattern>
        </servlet-mapping>
        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>srm</web-resource-name>
                        <url-pattern>/*</url-pattern>
                        <http-method>GET</http-method>
                </web-resource-collection>              
                <auth-constraint>
                        <role-name>admin</role-name>
                </auth-constraint>
        </security-constraint>
        <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>Authentication required</realm-name>
        </login-config>
        <security-role>
                <role-name>admin</role-name>
        </security-role>
</web-app>

Everything works fine for regular HTTP requests, but when trying to look up
protected EJB (annotated with @DeclareRoles, @RolesAllowed) - default Realm
from server.xml is used (I am able to call ejb with users defined in
tomcat-users.xml, but not with users defined in my database).
Properties p = new Properties();
p.put("java.naming.factory.initial",
"org.apache.openejb.client.RemoteInitialContextFactory");
p.put("java.naming.provider.url", "http://localhost:8080/srm/ejb";);
p.put("java.naming.security.principal", "tomee");
p.put("java.naming.security.credentials", "tomee");
InitialContext ctx = new InitialContext(p);
SecuredBeanRemote myBean =
(SecuredBeanRemote)ctx.lookup("SecuredBeanRemote");

Am I doing something wrong with configuration?




--
View this message in context: 
http://openejb.979440.n4.nabble.com/Securing-EJB-with-webapp-Realm-tp4669071.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Securing EJB with webapp Realm

Reply via email to