The ejb-security
quickstart demonstrates the use of Jakarta EE declarative security to control access to EJBs in {productName}.
The ejb-security
quickstart demonstrates the use of Jakarta EE declarative security to control access to EJBs in {productNameFull}.
This quickstart takes the following steps to implement EJB security:
-
Add an
application-security-domain
mapping in theejb3
subsystem to enable Elytron security for theSecuredEJB
. -
Add the
@SecurityDomain("other")
security annotation to the EJB declaration to tell the EJB container to apply authorization to this EJB. -
Add the
@RolesAllowed({ "guest" })
annotation to the EJB declaration to authorize access only to users withguest
role access rights. -
Add the
@RolesAllowed({ "admin" })
annotation to the administrative method in theSecuredEJB
to authorize access only to users withadmin
role access rights. -
Add an application user with
guest
role access rights to the EJB. This quickstart defines a userquickstartUser
with passwordquickstartPwd1!
in theguest
role. Theguest
role matches the allowed user role defined in the@RolesAllowed
annotation in the EJB but it should not be granted access to the administrative method annotated withRolesAllowed({"admin"})
.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a configure-elytron.cli
script provided in the root directory of this quickstart.
-
Before you begin, make sure you do the following:
-
Back up the {productName} standalone server configuration as described above.
-
Start the {productName} server with the standalone default profile as described above.
-
-
Review the
configure-elytron.cli
file in the root of this quickstart directory. This script adds the configuration that enables Elytron security for the quickstart components. Comments in the script describe the purpose of each block of commands. -
Open a new terminal, navigate to the root directory of this quickstart, and run the following command, replacing
{jbossHomeName}
with the path to your server:$ {jbossHomeName}/bin/jboss-cli.sh --connect --file=configure-elytron.cli
NoteFor Windows, use the {jbossHomeName}\bin\jboss-cli.bat
script.You should see the following result when you run the script:
The batch executed successfully process-state: reload-required
-
Stop the {productName} server.
After stopping the server, open the {jbossHomeName}/standalone/configuration/standalone.xml
file and review the changes.
-
The following
application-security-domain
mapping was added to theejb3
subsystem:<application-security-domains> <application-security-domain name="other" security-domain="ApplicationDomain"/> </application-security-domains>
The
application-security-domain
enables Elytron security for the quickstart EJBs. It maps theother
security domain that is set in the EJBs using the Java annotation@SecurityDomain("other")
to the ElytronApplicationDomain
that is responsible for authenticating and authorizing access to the EJBs. -
The
http-remoting-connector
in theremoting
subsystem was updated to use theapplication-sasl-authentication
factory:<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm" sasl-authentication-factory="application-sasl-authentication"/>
This configuration allows the identity that was established at the connection level to be propagated to the components.
Before you run the client, make sure you have already successfully deployed the EJBs to the server in the previous step and that your terminal is still in the root directory of this quickstart.
Type this command to execute the client:
$ mvn exec:exec
When you run the mvn exec:exec
command, you see the following output. Note there may be other log messages interspersed between these messages.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Successfully called secured bean, caller principal quickstartUser
Principal has admin permission: false
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
The username and credentials used to establish the connection to the application server are configured in the wildfly-config.xml
file. As expected, the quickstartUser
was able to invoke the method available for the guest`role, but not the administrative method that requires the `admin
role.
Note
|
You should also see the following
|
As an exercise, you can rerun the add-user
script described in the Add the Authorized Application User section, but this time grant the quickstartUser
the admin
role as follows:
$ {jbossHomeName}/bin/add-user.sh -a -u 'quickstartUser' -p 'quickstartPwd1!' -g 'guest,admin'
Note
|
For Windows, use the {jbossHomeName}\bin\add-user.bat scripts.
|
After you update the quickstartUser
user role, you must restart the server for it to take effect. Running the client again should immediately reflect the new permission level of the user:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Successfully called secured bean, caller principal quickstartUser
Principal has admin permission: true
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
../shared-doc/undeploy-the-quickstart.adoc ../shared-doc/restore-standalone-server-configuration.adoc
This script reverts the changes made to the ejb3
and undertow
subsystems. You should see the following result when you run the script.
The batch executed successfully
process-state: reload-required
../shared-doc/restore-standalone-server-configuration-manual.adoc ../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc
-
Make sure you Add the authorized application user as described above.
-
Make sure you configure the server by running the JBoss CLI script as described above under Configure the Server.
-
To deploy the server project, right-click on the {artifactId} project and choose Run As –> Maven build. Enter clean package wildfly:deploy for the Goals and click Run. This deploys the
{artifactId}
JAR to the {productName} server. -
Right-click on the {artifactId} project and choose Run As –> Run Configurations. Enter exec:exec for the Goals, and then click Run.
-
Review the output in the console window. You should see the same results as when running Maven in the command line.
-
To undeploy the project, right-click on the {artifactId} project and choose Run As –> Run Configurations. Enter
wildfly:undeploy
for the Goals and click Run. -
Make sure you restore the server configuration when you have completed testing this quickstart.