Secure EJB Sample

Download

The following sample demonstrates how to secure EJBs in your application by providing a servlet protected by a role, which invokes a method on an injected EJB.

Description

This sample demonstrates how to secure EJBs in your application. The application consists of a servlet protected by a role, servletRole, which invokes the method hello on an injected EJB, which is in turn protected by a role, ejbRole. The sample’s server is configured so that all authenticated users can access the servlet. However, only user1 is allowed to access the EJB method ejbRole. The following steps describe the how to test the sample, and what the expected results are.

Positive scenario – user is authorized

In this scenario, you will access the servlet with a user who is authorized to both the servlet and the EJB method.

  1. Start the SecureEJBSampleServer server by following the Unpacking Instructions.
  2. Access the servlet: http://localhost:9101/SecureEJBSample/sampleServlet (where port 9101 assumes the httpEndpoint provided in the sample server.xml has not been modified).
  3. At the prompt, enter the authorized user information:
    • user: user1
    • password: user1pwd
  4. Confirm the hello method in the EJB is called by validating the servlet output is as follows:
    In SecureEJBServlet, Hello Secure EJB World.

Negative scenario – user is not authorized to the EJB

In this scenario, you will access the servlet with a user who is not authorized to the EJB, because they are not mapped to the ejbRole in the application-bnd stanza of the server.xml

  1. Access the servlet: http://localhost:9101/SecureEJBSample/sampleServlet (where port 9101 assumes the httpEndpoint provided in the sample server.xml has not been modified).
  2. At the prompt, enter the unauthorized user information, for example:
    • user: user2
    • password: user2pwd

    (you can also enter the credentials for any other user in the basicRegistry except user1)

  3. Confirm the hello method in the EJB is not called because the user is not authorized by validating the servlet output is as follows:
    javax.ejb.EJBAccessException: CWWKS9400A: Authorization failed for user user2 while invoking hello on SecureEJBSample. The user is not granted access to any of the required roles: [ejbRole].

This sample can be installed onto runtime versions 8.5.5.0 and later.

Instructions

Start the SecureEJBSample server by running the command ‘bin/server run SecureEJBSampleServer’ from the root of the Liberty profile installation, and confirm the application started by looking for the following message in the log:

CWWKZ0001I: Application SecureEJBSample started in XX.XX seconds.

Sample Structure

  • SecureEJBSampleServer.zip
    • - wlp
      • - usr
        • - servers
          • - SecureEJBSample
            • - readme.html
            • - server.xml
            • - apps
              • - SecureEJBSample.ear (includes source and binaries)