Hot questions for Using Enterprise JavaBeans in authentication

Question:

When I want to access EJB on remote wildfly server from a different server, i get following error.

Error: Authentication failed: all available authentication mechanisms failed:
   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /../wildfly/standalone-/tmp/auth/X.challenge (No such file or directory)]
   DIGEST-MD5: Server rejected authentication

If i access EJB within the server, i don't get any auth error. I use following to access server;

http-remoting://server1:8080

Basically if i call this in server1, there is no problem. If i call this from server2, i get the error. I assume it looks for auth file in server2 which exists in server1.

I am not sure if I have to make some config on EJB or wildfly to enable access from different server. I did go through every steps which are available online but clearly i am missing something.


Answer:

My understanding is the following. For a local access, the authentification is not required. For a remote access, the authentification is required, so I'd suggest to double check the user account and password first.

Question:

I’m trying to add my own authentication and authorisation to Java EE REST application. I’ve managed to get working version with JAX-RS’s SecurityContext, ContainerRequestFilter implementation (with JWT) and @RolesAllowed annotations on end-point methods. But I need EJBs, and they don’t use JAX-RS’s SecurityContext at all (I’m getting EJBAccessException regardless of user roles), so I need another solution.

Is there anything like SecurityContext in EJBs possible to implement? Or should I use a library like Shiro? I want to manage users from the application itself, so container- or LDAP-provided user management is not an option. I'm using JPA to authenticate and authorise a user.

So, the main question is:

How do I implement my own authentication and role-based authorisation mechanisms working in EJBs (using @RolesAllowed annotations), based on JAX-RS filters? How do I tell EJB that a request is related to that concrete authenticated user with these roles?

One more thing – I’d rather avoid vendor-specific solutions, but if I had to, I’d go with JBoss/Wildfly.


Answer:

Does your current solution set up Principal object correctly? It is central to Java EE security, including EJBs.

Generally, you need an auth + IDM solution with support for JPA and custom authentication methods; PicketLink could be your choice. Unfortunately, PicketLink is now said to be superseded by KeyCloak, which I personally consider to have been a controversial decision. KeyCloak doesn't provide in-application IDM - it's an important piece of functionality, and it's exactly what you're looking for.

JSR 375: Java™ EE Security API is an emerging specification that will address all the above in a standard, vendor-neutral way. Soteria is a JSR 375 RI. At the moment, it only supports read-only identity stores.

Question:


Answer:

I strongly recommend PicketLink for your JavaEE application. It's CDI-managed (so you don't need Spring or other heavy-weight framework), has a big pack of tutorials and quite simple for beginners.

UPD: It's JBoss dependent.

Question:

i am developing an web application with java ee 7 on a wildfly application server (EJB, JSF, JPA, ...). To protect subpages for unauthorized access, i created security constraints and roles (Just two: Admin and User) on my web.xml - and they work fine with the users i created manually on the add-user.bat on wildfly/bin.

My question is: how is it possible to save new usernames and passwords (role should be always 'user') out of the java web application to be saved in the property file 'application-users'?

Later - i want to create a session for a cart after successfully authorization of the users with the credentials of the application-users file.

Any help will be appreciated. Thank you in advance!


Answer:

Security-wise the web application should not be able to have write access to the application-users.properties file. If you need to create users from your application, help yourself by choosing a proper store for your user database (MySql, LDAP or even H2 which should be fine for development).

Alternatively, if you really want to use a property file, define one outside the JBoss installation directory (somewhere in /var/data/my-app). That way you can't accidentally corrupt your JBoss setup. Copy the security domain configuration which references the application-users.properties and change the file path to your own users property file.