Announcement Announcement Module
No announcement yet.
JNDI Principal And Credentials from ACEGI HTTP Basic Authentication Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • JNDI Principal And Credentials from ACEGI HTTP Basic Authentication

    Sorry for cross-posting this thread from "Core Spring - EJB" as nobody commented yet. Any help is greatly appreciated!

    I need call SLSBs from a rich client application using the HttpInvoker.

    I have already successfully implemented (configured) the client and server side. I am able to call any SLSB method. The authentication details are forwarded to the server as well, I have added my own AuthenticationProvider on the server, which works.

    My problem is that I do not know how to use the Principal and Credentials from the Basic Auth for the JNDI Environment.

    I am using the LocalStatelessSessionProxyFactoryBean with a JNDI Template. If I do not hard-code the credentials in the config file, I get a JNDI lookup authorization error when the spring-bean is initialized (no user/password defined yet...).

    What can I do to solve these problems:
    - no JNDI lookup as long as the credentials are not known
    - use the Http Basic Auth credentials for the JNDI Environment

    Any help is highly appreciated!!


    PS: I am new to Spring... I have never seen such a great framework before!

  • #2
    You'd probably want to let people lookup the objects from JNDI, but the actual implementation you return will be an AOP target object which has MethodSecurityInterceptor weaved into the execution chain. That way anyone can request the bean, but only authorized principals can actually invoke methods on it.


    • #3
      Thank you very much for your help!

      I am not sure if I understood you correctly.

      In the web.xml, I have successfully defined the BasicProcessingFilter:
      <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
      <param-value>org.acegisecurity.ui.basicauth.BasicProcessi ngFilter</param-value>

      In the remoting-servlet.xml, I have configured:
      - my own AuthenticationProvider which works ok.
      - a subclass of LocalStatelessSessionProxyFactoryBean (WebLogicLocalStatelessSessionProxyFactoryBean) which I have found on this forum (it executes all methods within the JNDI Context) and extended to always get the authentication information from the SecurityContextHolder on each method invocation.

      This method (getting the auth info from the SecurityContextHolder on each method invocation) works, but is probably not the best way of doing it.

      Therefore I have tried what you suggested, but did not succeed: I have created my own subclass of JndiTemplate (BasicAuthJndiTemplate) which implements AuthenticationAware, but the method setAuthenticationToken is never being called...

      Shall I replace this by the MethodSecurityInterceptor? Can you direct me on how to do this?

      Can anyone point out what I am missing?

      Here is my remoting-servlet.xml:

      <bean id="myJndiTemplate" class="ch.admin.bit.ezameta.controller.BasicAuthJn diTemplate">
      <property name="environment">
      <prop key="java.naming.factory.initial">weblogic.jndi.WL InitialContextFactory</prop>

      <bean id="ezaMetaFacade" class=" Bean">
      <bean id="ezaMetaFacade_UtilService" class="ch.admin.bit.ezameta.controller.WebLogicLoc alStatelessSessionProxyFactoryBean">
      <property name="jndiName" value="ejb/ezameta/business/EzaMetaFacadeLocal"/>
      <property name="businessInterface" value="ch.admin.bit.ezameta.persistence.IUtilFacad e"/>
      <property name="jndiTemplate">
      <ref bean="myJndiTemplate"/>

      <bean id="ezaMetaFacade_MetaService" class="ch.admin.bit.ezameta.controller.WebLogicLoc alStatelessSessionProxyFactoryBean">
      <property name="jndiName" value="ejb/ezameta/business/EzaMetaFacadeLocal"/>
      <property name="businessInterface" value="ch.admin.bit.ezameta.persistence.IMetaFacad e"/>
      <property name="jndiTemplate">
      <ref bean="myJndiTemplate"/>

      <bean name="/UtilService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerServiceExporter">
      <property name="service" ref="ezaMetaFacade_UtilService"/>
      <property name="serviceInterface" value="ch.admin.bit.ezameta.persistence.IUtilFacad e"/>

      <bean name="/MetaService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerServiceExporter">
      <property name="service" ref="ezaMetaFacade_MetaService"/>
      <property name="serviceInterface" value="ch.admin.bit.ezameta.persistence.IMetaFacad e"/>

      <bean name="/RemoteAuthenticationManager" class="org.springframework.remoting.httpinvoker.Ht tpInvokerServiceExporter">
      <property name="service" ref="remoteAuthenticationManager"/>
      <property name="serviceInterface" value="org.acegisecurity.providers.rcp.RemoteAuthe nticationManager"/>

      <!-- Allows remote clients to check if a username/password is valid -->
      <bean id="remoteAuthenticationManager"
      class="org.acegisecurity.providers.rcp.RemoteAuthe nticationManagerImpl">
      <property name="authenticationManager">
      <ref bean="authenticationManager" />

      <bean id="authenticationManager"
      class="org.acegisecurity.providers.ProviderManager ">
      <property name="providers">
      <ref bean="dataSourceAuthenticationProvider" />

      <bean id="dataSourceAuthenticationProvider"
      class="ch.admin.bit.ezameta.controller.DataSourceA uthenticationProvider">

      Thank you very much for your help!

      Best regards,


      • #4
        I am not sure what you are actually trying to achieve.

        Are you trying to use HttpInvoker with BASIC authentication to call a remote SLSB, and you'd like Acegi Security to secure method invocations on the remote SLSB? If so, you'll probably want your server-side exporter (HttpInvokerServiceExporter) to proxy a target object which has a MethodSecurityInterceptor sitting in front of it. The BasicProcessingFilter will handle setting up the server-side SecurityContextHolder for you. Therefore, it'll look something like:

        Client makes request over HttpInvoker w/ BASIC header

        HttpInvokerServiceExporter exports "service"

        HttpInvokerServiceExporter proxies "fooBean"

        "fooBean" is a ProxyFactory bean that proxies to "myMethodSecurityInterceptor" and then the target object of "fooStatelessSessionBean"

        "myMethodSecurityInterceptor" applies security. It's just a standard MethodSecurityInterceptor.

        "fooStatelessSessionBean" is created by the SLSB proxy factory. I see you're using something called WeblogicLocalStatelessSessionProxyFactoryBean.