• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Implementing security in WAS 4.0.4

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does anybody know how to set up security in Websphere? I have a session bean and I'm trying to get the user's username in order to do audit logs. Whenever i try calling the session context's getCallerPrincipal(), I end up having 'UNAUTHENTICATED' as the Principal. I've tried setting the Principal using the code below but this does not seem to work. I'm still getting 'UNAUTHENTICATED' as Principal.
<code>
Properties properties = new Properties();
properties.put(Context.PROVIDER_URL,"iiop://localhost:910/");
properties.put(Context.INITIAL_CONTEXT_FACTORY,"com.ibm.websphere.naming.WsnInitialContextFactory");
properties.put(Context.SECURITY_PRINCIPAL,"UserName");
properties.put(Context.SECURITY_CREDENTIALS,"Password");
Context initial = new InitialContext(properties);
</code>
I also tried enabling security in Websphere by editing the server-cfg.xml file as well as configuring the administrative client. Apparently this works to some extent, however I'm getting this exception:
<code>
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: ; nested exception is:
com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for ??? while invoking (Home)ejb/org/manok/ManokHome create:0 securityName: ???;accessID: ??? is not granted any of the required roles: UserRole
java.rmi.RemoteException: ; nested exception is:
com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for ??? while invoking (Home)ejb/org/manok/ManokHome create:0 securityName: ???;accessID: ??? is not granted any of the required roles: UserRole
com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for ??? while invoking (Home)ejb/org/manok/ManokHome create:0 securityName: ???;accessID: ??? is not granted any of the required roles: UserRole
</code>
I'd appreciate any suggestions. Thanks!
 
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you post the 'security' part of the deployment descriptor?
 
lechon manok
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
here it is:
<code>
<assembly-descriptor>
<security-role>
<description>Test User</description>
<role-name>UserRole</role-name>
</security-role>
<method-permission>
<role-name>UserRole</role-name>
<method>
<ejb-name>Manok</ejb-name>
<method-intf>Home</method-intf>
<method-name>*</method-name>
</method>
<method>
<ejb-name>Manok</ejb-name>
<method-intf>Remote</method-intf>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
</code>
any thoughts? suggestions?
[ November 14, 2002: Message edited by: lechon manok ]
 
Ranch Hand
Posts: 217
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
WebSphere security is based on CORBA, so SAS Api should be used to pass user's principal/credentials.
You cannot pass it as the property of JNDI as you did in your code:
Properties properties = new Properties();
properties.put(Context.PROVIDER_URL,"iiop://localhost:910/");
properties.put(Context.INITIAL_CONTEXT_FACTORY,"com.ibm.websphere.naming.WsnInitialContextFactory");
properties.put(Context.SECURITY_PRINCIPAL,"UserName");
properties.put(Context.SECURITY_CREDENTIALS,"Password");
Context initial = new InitialContext(properties);
Check out LoginHelper util in the infocenter to see how to do client side authentication.
Your code may work in WLS, but it is not recommended by BEA now. The new trend is use JAAS, WebSphere 5.0 will support it. And don't forget EJB2.0 requires EJB container support CSIv2, which is corba based. So WebSphere is already leading in the implementation.
 
lechon manok
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Simon!
I can see the LoginHelper class but I'm not sure how to use it. Can you direct me to some sample code where an EJB can pick up the caller's ID after using LoginHelper?
Thanks!
 
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
LoginHelper is used in the EJB client, not in the server. The code Simon showed you is a direct replacement for the code you showed above (which is Weblogic specific).
To get a login id in your EJB, you simply use the standard getCallerPrincipal() method in the EJBContext (which should have been the same in WebLogic...)
Kyle
 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is it true that using JNDI you will never get a reurn value from session context's getCallerPrincipal(), other than UNAUTHENTICATED? and you MUST use JAAS?
I followed instructions in Websphere Security handbook (WAS 5.0) but always get UNAUTHENTICATED when I try to getCallerPrincipal(), I am at my wit's end.
If it is stated explicitly in some Websphere documentation that with JNDI lookup, you will never succeed in getting caller principal, I will give up without wasting any more time.
Thanks.
 
I will suppress my every urge. But not this shameless plug:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic