Hot questions for Using Enterprise JavaBeans in authentication
When I want to access EJB on remote wildfly server from a different server, i get following error.
Error: Authentication failed: all available authentication mechanisms failed: JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /../wildfly/standalone-/tmp/auth/X.challenge (No such file or directory)] DIGEST-MD5: Server rejected authentication
If i access EJB within the server, i don't get any auth error. I use following to access server;
Basically if i call this in server1, there is no problem. If i call this from server2, i get the error. I assume it looks for auth file in server2 which exists in server1.
I am not sure if I have to make some config on EJB or wildfly to enable access from different server. I did go through every steps which are available online but clearly i am missing something.
My understanding is the following. For a local access, the authentification is not required. For a remote access, the authentification is required, so I'd suggest to double check the user account and password first.
I’m trying to add my own authentication and authorisation to Java EE REST application. I’ve managed to get working version with JAX-RS’s
ContainerRequestFilter implementation (with JWT) and
@RolesAllowed annotations on end-point methods. But I need EJBs, and they don’t use JAX-RS’s SecurityContext at all (I’m getting
EJBAccessException regardless of user roles), so I need another solution.
Is there anything like
SecurityContext in EJBs possible to implement? Or should I use a library like Shiro? I want to manage users from the application itself, so container- or LDAP-provided user management is not an option. I'm using JPA to authenticate and authorise a user.
So, the main question is:
How do I implement my own authentication and role-based authorisation mechanisms working in EJBs (using @RolesAllowed annotations), based on JAX-RS filters? How do I tell EJB that a request is related to that concrete authenticated user with these roles?
One more thing – I’d rather avoid vendor-specific solutions, but if I had to, I’d go with JBoss/Wildfly.
Does your current solution set up
Principal object correctly? It is central to Java EE security, including EJBs.
Generally, you need an auth + IDM solution with support for JPA and custom authentication methods; PicketLink could be your choice. Unfortunately, PicketLink is now said to be superseded by KeyCloak, which I personally consider to have been a controversial decision. KeyCloak doesn't provide in-application IDM - it's an important piece of functionality, and it's exactly what you're looking for.
JSR 375: Java™ EE Security API is an emerging specification that will address all the above in a standard, vendor-neutral way. Soteria is a JSR 375 RI. At the moment, it only supports read-only identity stores.
I strongly recommend PicketLink for your JavaEE application. It's CDI-managed (so you don't need Spring or other heavy-weight framework), has a big pack of tutorials and quite simple for beginners.
UPD: It's JBoss dependent.
i am developing an web application with java ee 7 on a wildfly application server (EJB, JSF, JPA, ...). To protect subpages for unauthorized access, i created security constraints and roles (Just two: Admin and User) on my web.xml - and they work fine with the users i created manually on the add-user.bat on wildfly/bin.
My question is: how is it possible to save new usernames and passwords (role should be always 'user') out of the java web application to be saved in the property file 'application-users'?
Later - i want to create a session for a cart after successfully authorization of the users with the credentials of the application-users file.
Any help will be appreciated. Thank you in advance!
Security-wise the web application should not be able to have write access to the application-users.properties file. If you need to create users from your application, help yourself by choosing a proper store for your user database (MySql, LDAP or even H2 which should be fine for development).
Alternatively, if you really want to use a property file, define one outside the JBoss installation directory (somewhere in /var/data/my-app). That way you can't accidentally corrupt your JBoss setup. Copy the security domain configuration which references the application-users.properties and change the file path to your own users property file.