This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes EJB and other Java EE Technologies and the fly likes Accesing restricted EJBs from Swing Apps Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Accesing restricted EJBs from Swing Apps" Watch "Accesing restricted EJBs from Swing Apps" New topic
Author

Accesing restricted EJBs from Swing Apps

Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Hello folks,

I've been crawling the web trying to find some info that could help me. This is my issue:

As per customer request, We have to implement a Rich client interface that uses/calls EJBs restricted methods.

I tried to find info about JAAS and ProgrammaticLogin with no success.

Some of the info I found, states that ProgrammaticLogin relays on the underlaying AppServer, therefore I lean towards using JAAS -- witch is not supported by all AppServer according to some reading.
However, I planing to deploy on Sun's AppServer, GlassFish and JBoss all of them support JAAS (According to som info I Found).

My core desing is based on Eclipse Rich Client platform authenticating to a GlassFish/JBoss server to gain access to EJB3 restricted (By role) components. I would like to relay on the AppServer Security/Audith system to kepp my desing simple.


Perhaps, this a simpla and silly Q, but I could not find enought info in regards. Additionally, If any of you have any suggestion, I will be willing to try it.

Any help will be really appreciate,

Thanks in advance.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9952
    
161

You will find all the information about how JAAS works in JBoss at Security on JBoss


[My Blog] [JavaRanch Journal]
Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Thanks, for answering..~!
I will take a look to the document and will try to find JAAS on GlassFish
Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Hi there,

Again, all information I found was related to "Securing WEB apps" using JAAS.

No Sucess with Swing Rich client authentication against J2EE servers using JAAS or any other method.

Cheers
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9952
    
161

Again, all information I found was related to "Securing WEB apps" using JAAS.


Isnt the EJB, which you are trying to restrict access to, part of an web application?
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Does your JAAS login module reside on the app server or you do authentication on client and then want to use the same subject for authorization in EJBs?
The second one is tricky as the principals/credentials in Subject are not serializable and there are a lot of security issues in that. Saml specifications addresses this for webservices.
First one can be done by using specific login modules provided by different application servers. This article provides this info for JBoss.


apigee, a better way to API!
Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Thanks you guys for taking the time to answer,

First, my EJBs are not par of a Web app. I am using EJB3 for persistence and session beans for business logic.

Does your JAAS login module reside on the app server or you do authentication on client


Users are authenticated on the client, seems to me that I could do authentcation FROM the client using ProgramaticLogin and still using AppServer security services. I think of JAAS as an alternative.

Perhaps I am wrong and the specification does not support that.

However, I found the follow stand-alone example:



The previous example is not based on EJB3. But again I might be wrong and client authentication is not supported. In that case, I will need to start thinking of using web services.

Again, Thanks a lot for your kindly comments!
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9952
    
161

You can do a JAAS login from the client (a standalone java app or even a swing based client). See if this helps. The example there is a standalone java app accessing a secure ejb after doing a programatic JAAS login. Let us know if you need more details
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Originally posted by Jaikiran Pai:
You can do a JAAS login from the client (a standalone java app or even a swing based client). See if this helps. The example there is a standalone java app accessing a secure ejb after doing a programatic JAAS login. Let us know if you need more details

Hi Jaikiran,
I have not tried on the JBoss server, but according to this article that i have referred in my earlier response, it seems like you have to create the EJB under a privileged action executed with the subject after the login.
<Correct me if i am wrong>
Moreover, the client login module is more of a misnomer as it does not actually authenticate. Its just an abstraction to hide how the credentials from the stand alone client can be passed to the server. The authentication actually happens on the server side.
Also, it can be a bit misleading, because if the username/password are not correct, the ejb create will fail and not the login!
Also, i am not sure as to how this client module maps to the actual login module at the server side?
How do i tell that i want to authenticate against an LDAP, Database or something else
</Correct me if i am wrong>
Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Hi there,

This is very interesting subject I will quote a friend that have the same issue I found crawling the web:


I have EJBs on my server that users of the account will be accessing through a stand-alone Swing application. The first time the software starts, it'll ask the user for an account ID and password (which I believe are represented by the security principal and credentials respectively). From then on, the software should access a stateless EJB using authentication information. I don't have any trouble accessing the stateless EJB, but the biggest part I'm confused about is how I communicate the security principal and password to the server. Where do I set properties in the stand-alone client code?

[...]

I feel extremely lost and confused with the entire authentication concept of Java EE 5! Authorisation has lots of details written about it - using annotations or deployment descriptors to limit the execution of methods to certain roles. There's even pretty good documentation on how to add users to the system via the admin web interface. The only concept that I can't find a single article or example of is making use of it all!

In my mind, it's the simplest of concepts: Joe has an account ID and password. He only has access to one object on the server, which is referenced from the entity persistence database using his account ID. At the moment, it feels like I would have been better off writing this part of the system manually. Whatever happened to KISS?


Seems to me that using ProgrammaticLogin is easier since I do not have to implement a LogingModule and a CallBackHandler --I look at JAAS as an alternative whatsoever.

After reading this article http://java.sun.com/developer/EJTechTips/2006/tt0225.html#2

It looks like ProgrammaticLogin is the simplest and easiest path to follow (of course in my case which is a very simple client).

Cheers fellows!

[ May 25, 2007: Message edited by: Jose Ortuno ]
[ May 25, 2007: Message edited by: Jose Ortuno ]
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9952
    
161

Nitesh,

Sorry about the late response.

Originally posted by Nitesh Kant:
Moreover, the client login module is more of a misnomer as it does not actually authenticate. Its just an abstraction to hide how the credentials from the stand alone client can be passed to the server.


Thats correct. The ClientLoginModule in JBoss is meant to just pass on the logon information to the server. The actual authentication does not actually happen in this login module.

However, this does not mean that the authentication cannot be done on the client side. LoginContext is nothing but a stack of login modules. If you want to have authentication done on the client side, you can include your own module (something like database login or ldap login module or something else) in this stack. The only restriction (or rather requirement in JBoss) to this is, you will also have to include the ClientLoginModule in this stack. This effectively means that you will have 2 login modules in this stack - one doing the authentication and the other passing the credentials (ClientLoginModule).

Originally posted by Nitesh Kant:
How do i tell that i want to authenticate against an LDAP, Database or something else


Here's an example for LDAP authentication LdapLoginModule. The Database login module configuration will be similar, currently i dont have the link for the example (you can find a default example in the login-config.xml under %JBOSS_HOME%/server/default/conf folder).
Jose Ortuno
Ranch Hand

Joined: Nov 10, 2002
Posts: 39
Hi there!

Any help/thoughts/How to/Advice using ProgrammaticLogin from a Swing Client to a Glassfish server?

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Accesing restricted EJBs from Swing Apps
 
Similar Threads
EJB, Realms and Remote Clients
EJBs and paging in data
problem with security
EJBs in WebSphere
Accesing restricted EJBs from Swing Apps