EJB security - Weblogic

This is a discussion on EJB security - Weblogic ; Hi We have 2 Weblogic instances (frontend & backend). The frontend web application receives a custom token during logon (from a logon server), which the application decrypts and checks that the user exists. This is similar to Weblogic's Identity Assertion. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: EJB security

  1. EJB security


    Hi

    We have 2 Weblogic instances (frontend & backend). The frontend web application
    receives a custom token during logon (from a logon server), which the application
    decrypts and checks that the user exists. This is similar to Weblogic's Identity
    Assertion.

    So far so good.

    Now, the frontend servlet needs to access EJBs from the backend instance. We already
    have the username in the session. How do we tell the frontend to use CSIv2 (CSI_PRINCIPAL_TYPE)
    when accessing the backend EJBs?

    In the backend, we will have written custom security providers (based on Weblogic's
    security example package from dev2dev) to handle the identity assertion, etc.

    Please advise if we are approaching this the wrong way. Essentially, the frontend
    has been written. We now need to propagate the username to the backend to secure
    the EJB access.

    Regards
    Keith




  2. Re: EJB security


    "Keith Chew" wrote in message
    news:3f9dd228$1@newsgroups.bea.com...
    >
    > Hi
    >
    > We have 2 Weblogic instances (frontend & backend). The frontend web

    application
    > receives a custom token during logon (from a logon server), which the

    application
    > decrypts and checks that the user exists. This is similar to Weblogic's

    Identity
    > Assertion.
    >
    > So far so good.
    >
    > Now, the frontend servlet needs to access EJBs from the backend instance.

    We already
    > have the username in the session. How do we tell the frontend to use CSIv2

    (CSI_PRINCIPAL_TYPE)
    > when accessing the backend EJBs?
    >
    > In the backend, we will have written custom security providers (based on

    Weblogic's
    > security example package from dev2dev) to handle the identity assertion,

    etc.
    >
    > Please advise if we are approaching this the wrong way. Essentially, the

    frontend
    > has been written. We now need to propagate the username to the backend to

    secure
    > the EJB access.
    >


    You have the username in the session, but have you actually authenticated?
    If not, what is
    the identity of the thread that is running in the frontend? Are you using
    the identity assertion
    provider in the front end (it sounds like you are not)?

    If you are writing your own atn providers on the backend, you may be able to
    authenticate to them using
    the username and some validation data as the password. Then you would use
    the normal authentication
    mechanisms when invoking on the backend (jndi or jaas login module).





  3. Re: EJB security


    Hi Peter

    Thanks for your reply. As you have noted, I was not using custom providers at
    the frontend. This makes it diffcult because everything is at the application
    level.

    I have changed it so that both frontend and backend have the same custom providers,
    as well as established a trust between the 2 domains.

    Running the sample security provider example from dev2dev works! And it propagates
    the security context from frontend to backend. Great!

    Now, I need to integrate our custom token at the frontend. I have a question on
    that, but I'll post it in another thread.

    Thanks again.
    Keith



    "Peter" wrote:
    >
    >"Keith Chew" wrote in message
    >news:3f9dd228$1@newsgroups.bea.com...
    >>
    >> Hi
    >>
    >> We have 2 Weblogic instances (frontend & backend). The frontend web

    >application
    >> receives a custom token during logon (from a logon server), which the

    >application
    >> decrypts and checks that the user exists. This is similar to Weblogic's

    >Identity
    >> Assertion.
    >>
    >> So far so good.
    >>
    >> Now, the frontend servlet needs to access EJBs from the backend instance.

    >We already
    >> have the username in the session. How do we tell the frontend to use

    >CSIv2
    >(CSI_PRINCIPAL_TYPE)
    >> when accessing the backend EJBs?
    >>
    >> In the backend, we will have written custom security providers (based

    >on
    >Weblogic's
    >> security example package from dev2dev) to handle the identity assertion,

    >etc.
    >>
    >> Please advise if we are approaching this the wrong way. Essentially,

    >the
    >frontend
    >> has been written. We now need to propagate the username to the backend

    >to
    >secure
    >> the EJB access.
    >>

    >
    >You have the username in the session, but have you actually authenticated?
    >If not, what is
    >the identity of the thread that is running in the frontend? Are you using
    >the identity assertion
    >provider in the front end (it sounds like you are not)?
    >
    >If you are writing your own atn providers on the backend, you may be
    >able to
    >authenticate to them using
    >the username and some validation data as the password. Then you would
    >use
    >the normal authentication
    >mechanisms when invoking on the backend (jndi or jaas login module).
    >
    >
    >
    >



+ Reply to Thread