0 Replies Latest reply: Aug 3, 2012 2:56 AM by 952766 RSS

    Applying Roles Based Security for EJB

    952766
      Hi,

      I am using Jdeveloper 11g R2 and I am working on an EJB application. I have to apply role based security on session bean(EJB3) methods, for which I tried annotating the session bean method with "@RolesAllowed" as below,

      @RolesAllowed({"User1"})
      /** <code>select o from App o</code> */
      public List<App> getEmployee() {
      return em.createNamedQuery("Employee.findAll").getResultList();
      }

      For creating User, groups and roles i am using jazn-data.xml as below,

      <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
      <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
      <jazn-realm default="jazn.com">
      <realm>
      <name>jazn.com</name>
      <users>
      <user>
      <name>user1</name>
      <display-name>user1</display-name>
      <credentials>welcome1</credentials>
      </user>
      <user>
      <name>user2</name>
      <display-name>user2</display-name>
      <credentials>welcome1</credentials>
      </user>
      </users>
      <roles>
      <role>
      <name>User1-Group</name>
      <display-name>user1-group</display-name>
      <description>Enterprise protocol recruiter user group</description>
      <members>
      <member>
      <type>user</type>
      <name>user1</name>
      </member>
      </members>
      </role>
      <role>
      <name>User2-Group</name>
      <display-name>user2-group</display-name>
      <description>Enterprise protocol validator user group</description>
      <members>
      <member>
      <type>user</type>
      <name>user2</name>
      </member>
      </members>
      </role>
      </roles>
      </realm>
      </jazn-realm>
      <policy-store>
      <applications>
      <application>
      <name>AppName</name>
      <app-roles>
      <app-role>
      <name>all</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <display-name>all</display-name>
      <members>
      <member>
      <name>anonymous-role</name>
      <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
      </member>
      </members>
      </app-role>
      <app-role>
      <name>User1</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <display-name>protocol validator user authenticated</display-name>
      <members>
      <member>
      <name>User1-Group</name>
      <!--<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>-->
      <class>weblogic.security.principal.WLSGroupImpl</class>
      </member>
      <member>
      <name>User2-Group</name>
      <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
      </member>
      </members>
      </app-role>
      <app-role>
      <name>User2</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <display-name>protocol recruiter user authenticated</display-name>
      <members>
      <member>
      <name>User1-Group</name>
      <!--<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>-->
      <class>weblogic.security.principal.WLSGroupImpl</class>
      </member>
      <member>
      <name>User2-Group</name>
      <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
      </member>
      </members>
      </app-role>
      </app-roles>
      <jazn-policy>
      <grant>
      <grantee>
      <principals>
      <principal>
      <name>User1</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      </principal>
      </principals>
      </grantee>
      <permissions>
      <permission></permission>
      </permissions>
      </grant>
      <grant>
      <grantee>
      <principals>
      <principal>
      <name>User2</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      </principal>
      </principals>
      </grantee>
      <permissions>
      <permission></permission>
      </permissions>
      </grant>
      </jazn-policy>
      </application>
      </applications>
      </policy-store>
      </jazn-data>

      After the deploying the EJB and running the application, security does get applied and throws an exception [EJB:010160]Security Violation: User: 'XXX' has insufficient permission to access EJB

      After Adding the weblogic ejb deployment descriptor as below,

      <weblogic-enterprise-bean>
      <ejb-name>ApplicationFacade</ejb-name>
      <stateless-session-descriptor/>
      <enable-call-by-reference>true</enable-call-by-reference>
      </weblogic-enterprise-bean>
      <security-role-assignment>
      <role-name>User1</role-name>
      <principal-name>user1</principal-name>
      </security-role-assignment>

      It starts working as expected.

      My question is related to weblogic ejb deployment descriptor(weblogic-ejb-jar.xml), do I have to make an entry for each user (pricipal-name), each time I am adding a new user or is there a way by which i can map a user-groups?

      Also let me know if i have missed any other configuration required to add permissions.

      Thanks in advance,