ejb-security-programmatic-auth: Using the programmatic API to invoke a remote EJB using different identities
The ejb-security-programmatic-auth
quickstart demonstrates how to programmatically setup different identities when invoking a remote secured EJB.
The ejb-security-programmatic-auth
quickstart demonstrates how to invoke a remote secured EJB using the Elytron
client API to establish different identities. The quickstart client application accomplishes that by looking up and invoking the secured EJB under different `AuthenticationContext`s. Each context is setup to use a different identities and credentials.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a configure-elytron.cli
script provided in the root directory of this quickstart.
-
Before you begin, make sure you do the following:
-
Back up the {productName} standalone server configuration as described above.
-
Start the {productName} server with the standalone default profile as described above.
-
-
Review the
configure-elytron.cli
file in the root of this quickstart directory. This script adds the configuration that enables Elytron security for the quickstart components. Comments in the script describe the purpose of each block of commands. -
Open a new terminal, navigate to the root directory of this quickstart, and run the following command, replacing
{jbossHomeName}
with the path to your server.$ {jbossHomeName}/bin/jboss-cli.sh --connect --file=configure-elytron.cli
NoteFor Windows, use the {jbossHomeName}\bin\jboss-cli.bat
script.You should see the following result when you run the script.
The batch executed successfully process-state: reload-required
-
Stop the {productName} server.
After stopping the server, open the {jbossHomeName}/standalone/configuration/standalone.xml
file and review the changes.
-
The following
application-security-domain
mapping was added to theejb3
subsystem:<application-security-domains> <application-security-domain name="quickstart-domain" security-domain="ApplicationDomain"/> </application-security-domains>
The
application-security-domain
essentially enables Elytron security for the quickstart EJBs. It maps thequickstart-domain
that was set in the EJBs via annotation to the ElytronApplicationDomain
that will be responsible for authenticating and authorizing access to the EJBs. -
The
http-connector
in theremoting
subsystem was updated to use theapplication-sasl-authentication
authentication factory:<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm" sasl-authentication-factory="application-sasl-authentication"/>
This allows for the identity that was established in the connection authentication to be propagated to the components.
Before you run the client, make sure you have already successfully deployed the EJBs to the server in the previous step and that your terminal is still in the same folder.
Type the following command to execute the client.
$ mvn exec:exec
When you run the mvn exec:exec
command, you see the following output. Note there may be other log messages interspersed between these.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Called secured bean, caller principal quickstartUser
Principal has admin permission: false
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Called secured bean, caller principal quickstartAdmin
Principal has admin permission: true
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
As expected, the quickstart
user is able to call the methods available for guest
, but does not have the admin
permission to call administrative methods on the remote EJB. The quickstartAdmin
on the other hand has permissions to call both methods.
../shared-doc/undeploy-the-quickstart.adoc ../shared-doc/restore-standalone-server-configuration.adoc
This script reverts the changes made to the ejb3
and remoting
subsystems. You should see the following result when you run the script.
The batch executed successfully
process-state: reload-required
../shared-doc/restore-standalone-server-configuration-manual.adoc ../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc
-
Make sure you add the authorized application and management users as described above.
-
Make sure you configure the server by running the JBoss CLI script as described above under Configure the Server.
-
Right-click on the {artifactId} project and choose Run As → Maven build. Enter
clean package wildfly:deploy
for the Goals and click Run. This deploys the{artifactId}
JAR to the {productName} server. -
Right-click on the {artifactId} project and choose Run As → Run Configurations….
-
Enter
exec:exec
for the Goals and click Run. -
Review the output in the console window. You should see the following output.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Called secured bean, caller principal quickstartUser Principal has admin permission: false * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Called secured bean, caller principal quickstartAdmin Principal has admin permission: true * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-
To undeploy the project, right-click on the {artifactId} project and choose Run As → Maven build. Enter
wildfly:undeploy
for the Goals and click Run. -
Make sure you restore the {productName} standalone server configuration when you have completed testing this quickstart.