aspose file tools*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Security for MDB Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Security for MDB" Watch "Security for MDB" New topic
Author

Security for MDB

Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
I am not able to understand how security works with MDB

MDB is not invoked by client instead it is invoked by container.



Above code is not from any technical source/book but is my doubt.

Thanks.
Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
Can someone help me to understand how secutiry works for MDB?
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

isCallerInRole is not allowed to be called from an MDB, so I guess that @RolesAllowed is not allowed to be used either.


[My Blog]
All roads lead to JavaRanch
Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
isCallerInRole is not allowed to be called from an MDB,

true I missed to recollect this.

EJB 3 In Action, page 208

Like transaction management, authentication can be either
declarative or programmatic, each of which provides a different level of control
over the authentication process. In addition, like the transaction management
features discussed in this chapter, security applies to session beans and MDBs, and
not the JPA entities
.


I am not sure how security works for MDB?
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I am not sure how security works for MDB?

MDBs are allowed to call getCallerPrincipal, although I don't know what we could do with that. MDBs are also allowed to use the @RunAs annotation.
Amol Katyare
Ranch Hand

Joined: Apr 02, 2007
Posts: 36
This is what my understanding is. Please correct if am wrong.

isCallerInRole() - Not allowed in MDB.
Reason is obvious - No client available for security check to be performed.

getCallerInPrincipal() and @RunAs - Allowed.
Reason - No security context passed onto onMessage() but JMS agent/provider can allow user to configure credentials that EJBContainer may pass onto MDB. I think without configuring credentials, by default getCallerPrincipal.getName() retruns "Anonymous". Consider a case if onMessage() is further performing certain task (e.g. calling a service from other domain that require authenticate users only or doing persistence related stuffs) wherein it has to have certain role associate with it. I guess, then we can assign desired role for MDB.

In a nutshell, security works in MDB not taking into account client's credentials but with JMS provider's credential mappings.


SCJP [1.4]
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I think without configuring credentials, by default getCallerPrincipal.getName() retruns "Anonymous".

Can you tell us where you got that information from ?
Amol Katyare
Ranch Hand

Joined: Apr 02, 2007
Posts: 36
from one of the oracle forum
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I think that it really depends on what the container wants to set it to. There's no guarantee that the Principal's name will be anonymous in this case. (I tried on Glassfish and it returned "ANONYMOUS").

17.2.5.1 Use of getCallerPrincipal
The meaning of the current caller, the Java class that implements the java.security.Principal interface, and the realm of the principals returned by the getCallerPrincipal method depend on the operational environment and the configuration of the application.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Amol Katyare wrote:
In a nutshell, security works in MDB not taking into account client's credentials but with JMS provider's credential mappings.

Do you know how to set credential?


SCJA 1.0, SCJP 1.4, SCWCD 1.4, SCBCD 1.3, SCJP 5.0, SCEA 5, SCBCD 5; OCUP - Fundamental, Intermediate and Advanced; IBM Certified Solution Designer - OOAD, vUML 2; SpringSource Certified Spring Professional
Amol Katyare
Ranch Hand

Joined: Apr 02, 2007
Posts: 36
It depends on which application server you are using. You may need to check out documentation for that.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Security for MDB