ejb-security-programmatic-auth: Using the programmatic API to invoke a remote EJB using different identities
The ejb-security-programmatic-auth quickstart demonstrates how to programmatically setup different identities when invoking a remote secured EJB.
The ejb-security-programmatic-auth quickstart demonstrates how to invoke a remote secured EJB using the Elytron client API to establish different identities. The quickstart client application accomplishes that by looking up and invoking the secured EJB under different `AuthenticationContext`s. Each context is setup to use a different identities and credentials.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a configure-elytron.cli script provided in the root directory of this quickstart.
-
Before you begin, make sure you do the following:
-
Back up the {productName} standalone server configuration as described above.
-
Start the {productName} server with the standalone default profile as described above.
-
-
Review the
configure-elytron.clifile in the root of this quickstart directory. This script adds the configuration that enables security for the quickstart components. Comments in the script describe the purpose of each block of commands. -
Open a new terminal, navigate to the root directory of this quickstart, and run the following command, replacing
{jbossHomeName}with the path to your server.$ {jbossHomeName}/bin/jboss-cli.sh --connect --file=configure-elytron.cliNoteFor Windows, use the {jbossHomeName}\bin\jboss-cli.batscript.You should see the following result when you run the script.
The batch executed successfully process-state: reload-required -
Stop the {productName} server.
After stopping the server, open the {jbossHomeName}/standalone/configuration/standalone.xml file and review the changes.
-
The following
application-security-domainmapping was added to theejb3subsystem:<application-security-domains> <application-security-domain name="quickstart-domain" security-domain="ApplicationDomain"/> </application-security-domains>
The
application-security-domainessentially enables security for the quickstart EJBs. It maps thequickstart-domainthat was set in the EJBs via annotation to the ElytronApplicationDomainthat will be responsible for authenticating and authorizing access to the EJBs. -
Take a look at the existing
http-connectorconfiguration in theremotingsubsystem. Notice that it uses theapplication-sasl-authenticationauthentication factory, which references theApplicationDomainsecurity domain mentioned above:<http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
This allows for the identity that was established in the connection authentication to be propagated to the components.
Before you run the client, make sure you have already successfully deployed the EJBs to the server in the previous step and that your terminal is still in the same folder.
Type the following command to execute the client.
$ mvn exec:execWhen you run the mvn exec:exec command, you see the following output. Note there may be other log messages interspersed between these.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Called secured bean, caller principal quickstartUser
Principal has admin permission: false
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Called secured bean, caller principal quickstartAdmin
Principal has admin permission: true
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *As expected, the quickstart user is able to call the methods available for guest, but does not have the admin permission to call administrative methods on the remote EJB. The quickstartAdmin on the other hand has permissions to call both methods.
../shared-doc/undeploy-the-quickstart.adoc ../shared-doc/restore-standalone-server-configuration.adoc
This script reverts the changes made to the ejb3 and remoting subsystems. You should see the following result when you run the script.
The batch executed successfully
process-state: reload-required../shared-doc/restore-standalone-server-configuration-manual.adoc ../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc
-
Make sure you add the authorized application and management users as described above.
-
Make sure you configure the server by running the JBoss CLI script as described above under Configure the Server.
-
Right-click on the {artifactId} project and choose Run As → Maven build. Enter
clean package wildfly:deployfor the Goals and click Run. This deploys the{artifactId}JAR to the {productName} server. -
Right-click on the {artifactId} project and choose Run As → Run Configurations….
-
Enter
exec:execfor the Goals and click Run. -
Review the output in the console window. You should see the following output.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Called secured bean, caller principal quickstartUser Principal has admin permission: false * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Called secured bean, caller principal quickstartAdmin Principal has admin permission: true * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -
To undeploy the project, right-click on the {artifactId} project and choose Run As → Maven build. Enter
wildfly:undeployfor the Goals and click Run. -
Make sure you restore the {productName} standalone server configuration when you have completed testing this quickstart.