Securing EJB Applications

Download Docs

Site Map

Glossary

e-docs > WebLogic Server > Programming WebLogic Security > Securing EJB Applications

Programming WebLogic Security

Securing EJB Applications

You can use deployment descriptors and the Administration Console to secure EJBs just as you can with Web applications. See Securing Web Applications (Thin Clients)" on page 1 for a information on securing Web applications.

This section presents the following topics:

Adding Declarative Security to EJBs

To implement declarative security in EJBs you use deployment descriptors (ejb-jar.xml and weblogic-ejb-jar.xml) to define the security requirements. Listing 4-1 shows examples of how to use the ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptors to map security role names to a security realm. The deployment descriptors map the application's logical security requirements to its runtime definitions. And at runtime, the EJB container uses the security definitions to enforce the requirements.

To configure a security in the EJB deployment descriptors, perform the following steps (see Listing 4-1):

Use a text editor to create ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptor files.
In the ejb-jar.xml file, define the role name, ejb name, and method name.
In the WebLogic-specific EJB deployment descriptor file, weblogic-ejb-jar.xml, define the role name and link it to one or more principals in a security realm.

For more information on configuring security in the ejb-jar.xml file, see the Sun Microsystems Enterprise JavaBeans Specification, Version 2.0 which is at this location on the Internet: http://java.sun.com/products/ejb/docs.html.

Listing 4-1 Using the ejb-jar.xml and weblogic-ejb-jar.xml Files to Map Security Role Names to a Security Realm

ejb-jar.xml entries:

         ...
<assembly-descriptor>
  <security-role>
    <role-name>manger</role-name>
    <role-name>east</role-name>
  </security-role>
  <method-permission>
        <role-name>manager</role-name>
        <role-name>east</role-name>
        <method>
          <ejb-name>accountsPayable</ejb-name>
          <method-name>getReceipts</method-name>
        </method>
  </method-permission>
         ...
</assembly-descriptor>
          ...

weblogic-ejb-jar.xml entries:

  <security-role-assignment>
      <role-name>manager</role-name>
      <principal-name>al</principal-name>
      <principal-name>george</principal-name>
      <principal-name>ralph</principal-name>
  </security-role-assignment>
     ...

Using the <global-role/> Tag With EJBs

With WebLogic Server versions 7.0 SP1 and later, there are four different options, or approaches, that you can use to configure security in EJBs:

Approach #1: Always use the deployment descriptors. In this case, you simply elect to never use the Administration Console to configure security and, instead, use the deployment descriptors. The security configuration settings are read from the deployment descriptors every time the EJB is deployed or redeployed. To use this approach, the Administration Console's Ignore Security Data in Deployment Descriptors attribute on the General tab of a security realm must be left in its default state—unchecked.
Approach #2: Always use the Administration Console. In this case, before you deploy the application for the first time, you must check the Administration Console's Ignore Security Data in Deployment Descriptors attribute so that the deployment descriptors are ignored on initial deployment and subsequent redeployments. Then you use the Administration Console to configure Global Roles after the application is deployed.
Approach #3: Use the deployment descriptors to configure security at initial application deployment and then use the Administration Console to configure security from that point forward. In this case, the security configuration settings are read from the deployment descriptors upon initial deployment. Then you check the Ignore Security Data in Deployment Descriptors attribute so that deployment descriptors are ignored on subsequent redeployments and you use the Administration Console to make all subsequent changes to the application's security configuration.
Approach #4: Use the deployment descriptors to configure policies and use the Administration Console to configure roles. In WebLogic Server 7.0 SP1 and later, support was added for the <global-role/> tag for use in the weblogic-ejb-jar.xml deployment descriptors. You can use this tag, instead of the <principal-name> tag, to explicitly indicate that you want the roles defined in the deployment descriptors by the <role-name> tag to use the mappings that you specify in the Administration Console.

Thus, the <global-role/> tag gives you the flexibility of not having to specify a specific role mapping for each role defined in the deployment descriptors for a particular EJB. Rather, you can use the Administration Console to specify and modify a specific role mapping for each defined role at anytime. Additionally, because you may elect to use this tag on some EJBs and not others, it is not necessary to check the Ignore Security Data In Deployment Descriptors attribute on the General tab of the security realm. Thus, within the same security realm, deployment descriptors can be used to specify and modify security for some EJBs, while the Administration Console can be used to specify and modify security for others.

Listing 4-2 shows how to use the <global-role/> tag with the ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptors.

Listing 4-2 Using the <global-role> tag in EJB Deployment Descriptors for Role Mapping

ejb-jar.xml entries:
         ...
<assembly-descriptor>
  <security-role>
    <role-name>manger</role-name>
    <role-name>east</role-name>
  </security-role>
  <method-permission>
        <role-name>manager</role-name>
        <role-name>east</role-name>
        <method>
          <ejb-name>accountsPayable</ejb-name>
          <method-name>getReceipts</method-name>
        </method>
  </method-permission>
         ...
</assembly-descriptor>
          ...

weblogic-ejb-jar.xml entries:

  <security-role-assignment>
      <role-name>manager</role-name>
      <global-role/>
      ...
  </security-role-assignment>
   ...

For information about how to use the Administration Console to configure security for EJBs, See Managing WebLogic Security.

Adding Programmatic Security to EJBs

To implement programmatic security in EJBs you use the javax.ejb.EJBContext.getCallerPrincipal() and the javax.ejb.EJBContext.isCallerInRole() methods.

getCallerPrincipal

You use the getCallerPrincipal() method to determine the caller of the enterprise java bean. The javax.ejb.EJBContext.getCallerPrincipal() method obtains the java.security.principal and returns the Principal object that identifies the caller. You can use the java.lang.Class.getName() method to retrieve the current user's name and then do a lookup to determine whether the user has the privileges needed to access the resource.

For more information about how to use the getCallerPrincipal() method, see http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security5.html.

isCallerInRole

The isCallerInRole() method is used to determine if the caller (the current user) has been assigned a Role that is authorized to perform actions on the WebLogic Server resources in that thread of execution. For example, the method javax.ejb.EJBContext.isCallerInRole("admin")will return true if the current user has admin privileges.

For more information about how to use the isCallerInRole() method, see http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security5.html.

For Javadoc for the isCallerInRole() method, see http://java.sun.com/products/ejb/javadoc-1.1/javax/ejb/EJBContext.html#isCallerInRole(java.lang.String).