Announcement Announcement Module
Collapse
No announcement yet.
Spring security WebSphere integration with "pre-auth authentication provider" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security WebSphere integration with "pre-auth authentication provider"

    I am searching for a concrete example how to integrate Spring security into WebSphere Application server 6.x where EJB 3 technology is used.
    I got integration hint by following article http://www.ibm.com/developerworks/we...09_alcott.html which outlines the use case "The servlet filter is used in conjunction with a Spring "pre-authenticated authentication provider," which is conceptually similar to a WebSphere Application Server Trust Association (TAI)" as "true" integration.

    On the web container I had no problem to start Spring security, but down to the service layer which is implemented as EJB 3 Services I could not propagate Security Context. Does anybody have a example of how to propagate security context? It seems there is some specific implementation in "org/springframework/security/ui/preauth/websphere/..." but no example available. I appreciate any help on this topic!!!

    Example my view controller calls EJB service which should be denied access if current authenticated user does not have role 'ROLE_ADMIN':
    1. View Controller in Webcontainer calls EJB service:
    Code:
    myViewController.getCustomerService().getCustomer();
    2. EJB service
    Code:
    @Stateless
    public class CustomerServiceBean implements CustomerService {
    ...
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    //@RolesAllowed("ROLE_ADMIN")
    public Customer getCustomer(String name) {
            //here without propagation of spring security context, principal is unauthenticated and isCallerInRole is false
           // and a user without role ROLE_ADMIN can access service regardless of Preauthorize annotation
    	Principal lPrincipel = getSessionContext().getCallerPrincipal();
    	boolean lIsInrole = getSessionContext().isCallerInRole("ROLE_USER");
    	
    	//do business logic and return customer entity
            Customer customer = CustomerDAO.findCustomer(name);
    	return customer;
       }
    ...
Working...
X