In this example, you will restrict access to all the EJBs in the ejb20_basic_statelessSession JAR to a user who has been granted a global security role you created. Next, you will further restrict access to the statelessSession EJB (contained within this EJB JAR) to a different user. Last, you will tighten security on a particular EJB methods (the create() and buy() methods) even further.
Note: Recall what this setting means: you are telling WebLogic Server that you want the WebLogic Security Service to perform security checks on all URL (Web) and EJB resources. For more information, see Understanding the fullyDelegateAuthorization Flag.
From the Windows Start menu, select Programs —> BEA WebLogic Platform 7.0 —> WebLogic Server 7.0 —> Server Tour and Examples —> Launch Examples Server to start the server called examplesServer.
The fullyDelegateAuthorization flag appears in the console as the examplesServer starts, and the BEA WebLogic Server Out-of-the-Box Examples Index Page opens in your browser.
Click the Administration Console link, located at the top of the BEA WebLogic Server Out-of-the-Box Examples Index Page.
Click the Sign In button to sign in to the Administration Console for the examplesServer.
Using the navigation tree at the left side of the Administration Console, expand Security, then Realms.
Click the myrealm security realm.
On the General tab, click the Ignore Security Data in Deployment Descriptors check box. (That is, you should be putting a check mark in the box.)
Note: Recall what this setting means: you are telling WebLogic Server that you will set security for Web application and EJB resources using the Administration Console, not deployment descriptors. For more information, see Understanding the Ignore Security Data in Deployment Descriptors Check Box.
Click Apply to save your changes.
Step 2: Create a Group
Using the navigation tree at the left side of the Administration Console, expand Security, then Realms.
Expand the myrealm security realm.
Click Groups.
The Select Groups page displays all the groups currently defined in the WebLogic Authentication provider's database.
Click the Configure a New Group... link to display the Create Group page.
On General tab, in the Name field, type: Testers
If desired, enter a description of the group in the Description field.
Click Apply to save your changes.
Step 3: Create Users
Using the navigation tree, click Users.
The Select Users page displays all the users currently defined in the WebLogic Authentication provider's database.
Click the Configure a New User... link to display the Create User page.
On General tab, in the Name field, type: Stephanie
If desired, enter a description of the user in the Description field.
In the Password and Confirm Password fields, type: ejbexample
Click Apply to save your changes.
Repeat steps 2 - 6 to create a user named Jen.
Using the navigation tree, click Users, and confirm that users Stephanie and Jen have been added.
The Select Users page shows that Stephanie and Jen have been added to the WebLogic Authentication provider's database.
Step 4: Add a User to the Group
On the Select Users page, click the hyperlinked user name Stephanie.
Click the Groups tab.
In the Possible Groups list box, highlight the Testers group.
Click the highlighted arrow to move the Testers group from the Possible Groups list box to the Current Groups list box.
Click Apply to save your changes.
Note: Do not add Jen to the Testers group.
Step 5: Create a Global Role
Using the navigation tree, click Roles.
The Select Roles page displays all the global roles currently defined in the WebLogic Role Mapping provider's database.
Click the Configure a New Role... link to display the Create Role page.
On General tab, in the Name field, type: QA
Click Apply to save your changes.
Step 6: Grant the Global Role to the Group
Click the Conditions tab.
In the Role Condition list box, highlight: Caller is a Member of the Group.
Click Add to open the Groups window.
In the Enter Group Name field, type: Testers
Click Add, then OK.
The Groups window closes. The Role Statement list box reads:
Caller is a Member of the Group
Testers
Click Apply to save your changes.
Step 7: Create a Security Policy for the statelessSession EJB JAR Using the Global Role
Using the navigation tree, expand Deployments, then EJB.
Right-click ejb20_basic_statelessSession.jar.
From the menu, select the Define Policy... option.
Note: Recall what this option means: you are creating a security policy at the EJB JAR level, which includes all EJBs within the JAR, and all methods within those EJBs.
In the Policy Condition list box, highlight: Caller is Granted the Role.
Click Add to open the Roles window.
In the Enter Role Name field, type: QA
Click Add, then OK.
The Roles window closes. The Policy Statement list box reads:
Caller is Granted the Role
QA
Note: Recall that by defining this security policy on the ejb20_basic_statelessSession.jar, you are overriding any security policies that have already been defined for the EJB resource type. Specifically, you are overriding the inherited policy statement:
Caller is a Member of the Group
Everyone
that is shown in the Inherited Policy Statements list box.
This Caller is a Member of the Group policy condition is part of the default security policy for EJB resources. For more information, see Default Security Policies.
Click Apply to save your changes.
Step 8: Attempt to Access EJBs Through a Client Application
Note: All instructions provided in this section assume that you are working in a Windows environment.
Open a DOS shell and type: cd WL_HOME\samples\server\config\examples, where WL_HOME is the top-level installation directory for WebLogic Platform.
Type: setExamplesEnv.cmd to set your environment.
Type: cd ..\..\src\examples\security\jaas
Type: ant to build the example.
Copy the sample_jaas.config file from the WL_HOME\samples\server\src\examples\security\jaas directory to the JAVA_HOME\jre\lib\security directory, where JAVA_HOME is the location of your Java SDK installation.
Edit the java.security file (also located in the JAVA_HOME\jre\lib\security directory) and add the following line to the very end of the file (all on one line):
In the WL_HOME\samples\server\src\examples\security\jaas directory, edit the build.xml file as follows:
Scroll to the end of the file and locate the line: <target name="run"> (This is shown in bold in Listing 7-1.)
In the <arg line> element, change the user name and password (currently shown as weblogic weblogic) to Stephanie ejbexample. (This is also shown in bold in Listing 7-1.)
Save the build.xml file.
Listing 7-1 Relevant Portion of the build.xml File
<!-- Run the example --> <target name="run" > <java classname="examples.security.jaas.SampleClient" fork="yes" failonerror="true"> <arg line="t3://localhost:${PORT} weblogic weblogic"/> <classpath> <pathelement path="${CLASSPATH};${CLIENT_CLASSES}/ ejb20_basic_statelessSession_client.jar; ${CLIENT_CLASSES}/utils_common.jar"/> </classpath> </java> </target>
In the same directory (WL_HOME\samples\server\src\examples\security\ jaas) type: ant run
You should see the following output similar to the following:
Buildfile: build.xml
run: [java] username: Stephanie [java] password: ********** [java] URL: t3://localhost:7001 [java] Creating a trader [java] Buying 100 shares of BEAS. [java] Buying 200 shares of MSFT. [java] Buying 300 shares of AMZN. [java] Buying 400 shares of HWP. [java] Selling 100 shares of BEAS. [java] Selling 200 shares of MSFT. [java] Selling 300 shares of AMZN. [java] Selling 400 shares of HWP. [java] Removing the trader
BUILD SUCCESSFUL
Total time: 5 seconds
This result occurs because the client application calls an EJB that is stored in the ejb20_basic_statelessSession.jar you just secured with a security policy.
Repeat steps 8 - 9, but use Jen ejbexample as the user name and password in the build.xml file.
You should see output that starts with:
run: [java] username: Jen [java] password: ********** [java] URL: t3://localhost:7001 [java] Creating a trader [java] java.rmi.AccessException: Security violation: User Jen has insufficient permission to access method; nested exception is: [java] java.lang.SecurityException: Security violation: User Jen has insufficient permission to access method
This result occurs because the client application calls an EJB that is stored in the ejb20_basic_statelessSession.jar you just secured with a security policy.
Step 9: Restrict Access to the statelessSession EJB
Using the navigation tree at the left side of the Administration Console, right-click ejb20_basic_statelessSession.jar.
From the menu, select the Define Policies and Roles for Individual Beans... option.
A table listing all the EJBs that are in the JAR file appears (in this case, just the statelessSession EJB).
Note: Recall what this option means: you can create a security policy at the EJB level (meaning the security policy will apply to all methods within the EJB), or a particular method within the EJB.
Click the [Define Policies] link for the statelessSession EJB.
In the Policy Condition list box, highlight: User Name of the Caller.
Note: Do not modify the value shown in the Methods drop-down menu. (It should read: ALL.)
Click Add to open the Users window.
In the Enter User Name field, type: Jen
Click Add, then OK.
The Users window closes. The Policy Statement list box reads:
The output from the client application should be the reverse of what it was. In other words, Stephanie should be denied access to the statelessSession EJB, and Jen should be granted access.
This result occurs because the client application calls the EJB that you just secured with a security policy.
Step 10: Restrict Access to the create() and buy() EJB Methods
Using the navigation tree at the left side of the Administration Console, right-click ejb20_basic_statelessSession.jar.
From the menu, select the Define Policies and Roles for Individual Beans... option.
A table listing all the EJBs that are in the JAR file appears (in this case, just the statelessSession EJB).
Note: Recall what this option means: you can create a security policy at the EJB level (meaning the security policy will apply to all methods within the EJB), or a particular method within the EJB.
Click the [Define Policies] link for the statelessSession EJB.
Using the Methods drop-down menu, select the create() - HOME method.
In the Policy Condition list box, highlight: Caller is a Member of the Group.
Click Add to open the Groups window.
In the Enter Group Name field, type: Testers
Click Add, then OK.
The Groups window closes. The Policy Statement list box reads:
Caller is a Member of the Group
Testers
Note: Recall that by defining this security policy on the create() method, you are overriding the security policy that has already been defined for the statelessSession EJB in Step 9: Restrict Access to the statelessSession EJB. Specifically, you are overriding the inherited policy statement of:
User Name of the Caller
Jen
that is shown in the Policy Statement list box when ALL is selected from the Methods drop-down menu.
Click Apply to save your changes.
Repeat steps 4 - 9 to secure the buy(java.lang.String, int) - REMOTE method, using the same Policy Statement.
The output from the client application should fail at different methods for users Stephanie and Jen. User Stephanie should be denied access at the sell() method because this method comes after the create() and buy() methods in the client application (see Listing 7-2 for sample output). User Jen should be denied access at the create() method (see Listing 7-3 for sample output).
Listing 7-2 Output for User Stephanie: Access Denied at sell() Method
Buildfile: build.xml
run: [java] username: Stephanie [java] password: ********** [java] URL: t3://localhost:7001 [java] Creating a trader [java] Buying 100 shares of BEAS. [java] Buying 200 shares of MSFT. [java] Buying 300 shares of AMZN. [java] Buying 400 shares of HWP. [java] Selling 100 shares of BEAS.
[java] java.rmi.AccessException: Security Violation: User: 'Stephanie' has insufficient permission to access EJB: type=<ejb>, application=_appsdir_ejb20_basic_statelessSession_ear, module=ejb20_basic_statelessSession.jar, ejb=statelessSession, method=sell, methodInterface=Remote, signature={java.lang.String,int}.
Listing 7-3 Output for User Jen: Access Denied at create() Method
Buildfile: build.xml
run: [java] username: Jen [java] password: ********** [java] URL: t3://localhost:7001 [java] Creating a trader
[java] java.rmi.AccessException: Security violation: User Jen has insufficient permission to access method; nested exception is: [java] java.lang.SecurityException: Security violation: User Jen has insufficient permission to access method
These results occur because the client application calls the EJB methods that you just secured with security policies.
