Security Principle Transfer Passed on EJB Call

Question

Security Principle Transfer Passed on EJB Call

I am working on a large existing EJB 1.1 application that currently makes its own security and does not have EJB managed security.

I am trying to move to more standard solutions in small steps, so I want to begin to control the security principle transmitted by EJB. I am not going to change the current login or security system, so I do not believe that I can move to JAAS at the moment.

As soon as I created java.security.Principle, where I store it, so it is passed in my ejb calls and is accessible from the .getCallerPrincipal () context?

Thanks.

0

java ejb

David waters Mar 25 '10 at 16:13

source share

1 answer

ewernli · Answer 1 · 2010-03-25T16:37:07+0000

Security Java EE is something like nothing or nothing. You must use the Java EE authentication mechanism to set the security context correctly. As you can see, the EJBContext that you can get through injection is read-only.

The only standard way I can change the security context is to use things like @RunAs (see example ), but it is very inflexible. You cannot transfer credentials dynamically.

There are some intolerable mechanisms specific to the container, for example Glassfish has a ProgrammaticLogin . But even in this case, you need to transfer the username / password, you can not just change the Principal on the fly.

I remember reading articles where I explained how to manually set the security context using the container’s internal API, but of course it is not portable or supported.

Security Principle Transfer Passed on EJB Call

More articles: