About Question enthuware.ocejws.v6.2.225 :

Moderators: Site Manager, fjwalraven

Post Reply
himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

About Question enthuware.ocejws.v6.2.225 :

Post by himaiMinh »

"Add a security constraint in the web deployment..." may be the option instead of "add security annotations..."
The article, Securing JAX-RS web services using Annotation says:

@PermitAll
@Stateless
public class AddressBookResource{
@RolesAllowed("admin")
@PUT
public void updateList(String addr){...}

}
Which of the configuration would be required to support the access control for this code?
Option 1. No further configuration is required, J2EE runtime will read annotation and configure web container automatically.
This is wrong. When the JAX-RS resources have authorization constraints associated with them, the JAX-RS runtime relies on the web container to obtain authentication information. This means that the web container must be configured to require authentication data...
Option 2. Developer must configure web container to authenticate access to the resource.
This is correct. Annotations for security follow the declarative security model.Security constraints that are configured in the web.xml file, take precedence over security constraints that are programmatically annotated in the application.... Annotated constraints are additional to any configured security constraints.The JAX-RS runtime environment checks for annotated constraints after the web container runtime environment has checked for security constraints that are configured in the web.xml....

When a JAX-RS resources is accessed that corresponds to one of these constraints, authorization checks are performed. Access checks are performed for the declarative security annotation only after the configured constraints are verified.

The web.xml for this example:
<web-app>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
....
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
...
Procedure
1. Determine if there are security constraints defined by the web.xml ...

2.Security constraints that are configured in the deployment descriptor, the web.xml file, take precedence over security constraints that are programmatically annotated in the application.

3.Determine if you want to add annotations for security, in addition to any constraints in the web.xml file. Decide if you want to add one of the @PermitAll, @DenyAll and @RolesAllowed annotations to provide additional security..
Based on this article, web.xml is the first way to declare role-based security constraints. Then, using security annotation is the additional way to declare fine-grained constraints.
Last edited by himaiMinh on Tue Apr 15, 2014 7:49 pm, edited 1 time in total.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by himaiMinh »

Another example quoted from Common Annotations for the Java Platform and Enterprise JavaBean 3.1, but this is not refering to a Restful service:
@Singleton
@WebService
public class StatusBean {
public String getState() {...}

}
To add role based access control:
1. by using common annotations for the Java Platform (@RolesAllowed, @PermitAll, @DenyAll)
2. by using method-permission element in ejb-jar.xml, like this ejb-jar.xml file:
<method-permission>
<role-name>Administrator</role-name>
<method>
<ejb-name>StatusBean</ejb-name>
<method-name>getState</method-name>
</method>
</method-permission>
I think if the exam question is asking the way to set up role based security for EJB based JAX-WS web service, the answer can be either using annotations or using ejb-jar.xml.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by fjwalraven »

"Add a security constraint in the web deployment..." may be the option instead of "add security annotations..."
No, the problem statement says "we want to use role-based security on a method..." and this can only be done with annotations.

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by himaiMinh »

Thanks for the reply. I see it now. The question is actually refering to adding a fine-grain role base security.
I thought of this configuration in web.xml:

Code: Select all

<url-pattern>/jersey/add/*</url-pattern>
 <http-method>GET</http-method>
   ...
<auth-constraint>
    <role-name>student</role-name>
....

This web.xml configuration only allows any student to access any @GET method in /jersey/add/* url pattern. But it is not good enough to indicate which particular @GET method in the resource class.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by himaiMinh »

Hi, I have a question regarding to the explanation saying that enforcing authentication should be done in web.xml.
Suppose we have a JAX-WS EJB based RESTful web service like this:

Code: Select all

 @WebService
 @Singleton
public class OrderBean {...}
We should have ejb-jar.xml to define security role and method permission:

Code: Select all

  <security-role>
       <role-name>manager</role-name>
 </security-role>
  <method-permission>
          <role-name>manager</role-name>
          <method>
                     <ejb-name>OrderBean</ejb-name>
                     <method-name>*</method-name>
          </method >
   </method-permission>
And we also have sun-ejb-jar.xml

Code: Select all

          <sun-ejb-jar>
                    <enterprise-beans>
                           <ejb>
                                  ....
                                    <login-config> <auth-method>CLIENT-CERT</auth-method></login-config>
                           </ejb>
                    </enterprise-beans>
           </sun-ejb-jar>    
My question is :
if we have JAX-RS RESTful service, we need to use web.xml to enforce authentication.
By if we have JAX-WS EJB based service , which is RESTful, we don't need web.xml. Instead, we will need sun-ejb-jar.xml or glassfish-ejb-jar.xml to specify the <auth-method>.
Any comments?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by fjwalraven »

By if we have JAX-WS EJB based service , which is RESTful, we don't need web.xml. Instead, we will need sun-ejb-jar.xml or glassfish-ejb-jar.xml to specify the <auth-method>.
Both sun-ejb-jar.xml or glassfish-ejb-jar.xml are proprietary deployment descriptors. They are not mentioned in any of the EE6 specifications (EJB, JAX-RS or JAX-WS). In other words: authentication by the EJB-container is an handy add-on but not required.

The specifications in Web Services domain that says anything about authentication are the JAX-WS 2.x and the JSR-109 and they don't mention the possibility of the EJB-container providing authentication (nor do they mention those deployment descriptors). Authentication for the Web Services exam is done by the web-container.

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by himaiMinh »

Hi, Frits. Thanks for your explanation.
So, in theory, any application server typically should have at least a web container and a EJB container. The application server' web container should read the web.xml to see what the <auth-method> is in order to enable authentication.
But in practice, GlassFish application server uses glassfish-ejb-jar.xml to enable authentication in its EJB container. And JBoss uses web.xml to authenticate in web container.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.225 :

Post by fjwalraven »

But in practice, GlassFish application server uses glassfish-ejb-jar.xml to enable authentication in its EJB container.
No, not necessarily. GlassFish also uses the web.xml to enable Authentication. The credentials are passed from the web-container to the ejb-container (no need to configure anything else).

If your application doesn't use any web-components (e.g. Servlets, jsp's), Glassfish has the possibility to enable authentication in the ejb-container directly.

Regards,
Frits

Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests