we have a web application where we use a LDAP realm to authenticate the user. Then we have to check whether the authenticated user has permissions to open our application or not.
Our application has lots of applications/modules in it. All customer credentials are stored in a LDAP server. But customers will not have access to each and every application. They will purchase and then they get rights to use/access the application.
So I proposed using filters from the servlet api to do autherization part.
We are using EJB 3.0 to develop our service components and other components. Upon the EJB layer we have a REST layer meaning everyone has to access the EJBs from the web services. Is there any component in EJB which will be executed before accessing the EJBs or is there any component in REST which provide the same functionality?
Is it right to use a servlet filter in this case? Or Is there any better approach?
Thank you all in advance. Good day.
My suggestion is to secure the thing that must be secured: the implementation of business logic. The business logic resides in the EJBs, so my first option would be to secure this tier.
A day will come that someone will expose the business logic through another channel; it may be that some other application will need to access the EJBs through RMI; or as a SOAP web service; or whatever. If the security is implemented in the web tier, the other application will have unrestricted access to the logic, unless it has the good will to implement security.
Several things come to mind.
Simplest solution would be to map the rights to use a specific module to a role. When a user pays for that module, he/she is assigned that role. EJB methods will be protected to allow the appropriate set of roles to access them. Sample code:
@Stateless
public class ModuleOneBean implements ModuleOne
{
@Resource SessionContext ctx;
public void businessMethod() {
if( !ctx.isCallerInRole("moduleOneRole") ) {
throw new SecurityException(...);
}
// business logic as usual
...
}
}
If the authorization logic is more complex than that, EJB interceptors may be useful. They are like the servlet filters but for the EJB tier. A smart implementation of interceptor-based security infrastructure can cope with many more cases than the previous solution, including the case of role-based authorization. A simplified usage, roughly implementing the previous case with interceptors would be:
@Stateless
public class ModuleOneBean implements ModuleOne
{
@Interceptors(ModuleOneSecurityInterceptor.class)
public void businessMethod() {
// business logic as usual
...
}
}
and:
public class ModuleOneSecurityInterceptor
{
@Resource SessionContext ctx;
@AroundInvoke
public Object authorize(InvocationContext invctx) {
if( !ctx.isCallerInRole("moduleOneRole") ) {
throw new SecurityException(...);
}
return ctx.proceed();
}
}
Note: Interceptors can also be declared in the ejb-jar.xml (the @Interceptors annotation is not necessary), so as not to burden the code and keep control centralized, especially for security.
Custom solutions (e.g. this using CDI).
If you are pretty sure that the web app will be the only way to access the core, for ever, then a servlet filter will probably be OK. And you may need to add an extra layer of protection to the web app anyway.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments