This discussion is archived
0 Replies Latest reply: Aug 3, 2012 12:56 AM by 952766 RSS

Applying Roles Based Security for EJB

952766 Newbie
Currently Being Moderated
Hi,

I am using Jdeveloper 11g R2 and I am working on an EJB application. I have to apply role based security on session bean(EJB3) methods, for which I tried annotating the session bean method with "@RolesAllowed" as below,

@RolesAllowed({"User1"})
/** <code>select o from App o</code> */
public List<App> getEmployee() {
return em.createNamedQuery("Employee.findAll").getResultList();
}

For creating User, groups and roles i am using jazn-data.xml as below,

<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user>
<name>user1</name>
<display-name>user1</display-name>
<credentials>welcome1</credentials>
</user>
<user>
<name>user2</name>
<display-name>user2</display-name>
<credentials>welcome1</credentials>
</user>
</users>
<roles>
<role>
<name>User1-Group</name>
<display-name>user1-group</display-name>
<description>Enterprise protocol recruiter user group</description>
<members>
<member>
<type>user</type>
<name>user1</name>
</member>
</members>
</role>
<role>
<name>User2-Group</name>
<display-name>user2-group</display-name>
<description>Enterprise protocol validator user group</description>
<members>
<member>
<type>user</type>
<name>user2</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<policy-store>
<applications>
<application>
<name>AppName</name>
<app-roles>
<app-role>
<name>all</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<display-name>all</display-name>
<members>
<member>
<name>anonymous-role</name>
<class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
</member>
</members>
</app-role>
<app-role>
<name>User1</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<display-name>protocol validator user authenticated</display-name>
<members>
<member>
<name>User1-Group</name>
<!--<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>-->
<class>weblogic.security.principal.WLSGroupImpl</class>
</member>
<member>
<name>User2-Group</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
</member>
</members>
</app-role>
<app-role>
<name>User2</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<display-name>protocol recruiter user authenticated</display-name>
<members>
<member>
<name>User1-Group</name>
<!--<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>-->
<class>weblogic.security.principal.WLSGroupImpl</class>
</member>
<member>
<name>User2-Group</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<name>User1</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
<permissions>
<permission></permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<name>User2</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
<permissions>
<permission></permission>
</permissions>
</grant>
</jazn-policy>
</application>
</applications>
</policy-store>
</jazn-data>

After the deploying the EJB and running the application, security does get applied and throws an exception [EJB:010160]Security Violation: User: 'XXX' has insufficient permission to access EJB

After Adding the weblogic ejb deployment descriptor as below,

<weblogic-enterprise-bean>
<ejb-name>ApplicationFacade</ejb-name>
<stateless-session-descriptor/>
<enable-call-by-reference>true</enable-call-by-reference>
</weblogic-enterprise-bean>
<security-role-assignment>
<role-name>User1</role-name>
<principal-name>user1</principal-name>
</security-role-assignment>

It starts working as expected.

My question is related to weblogic ejb deployment descriptor(weblogic-ejb-jar.xml), do I have to make an entry for each user (pricipal-name), each time I am adding a new user or is there a way by which i can map a user-groups?

Also let me know if i have missed any other configuration required to add permissions.

Thanks in advance,

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points