eDocs Home >  > Avitek Medical Records Development Tutorials > Moving to Production

Avitek Medical Records Development Tutorials

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

 

Moving to Production

 

Tutorial 18: Using the Administration Console to Secure Enterprise JavaBean (EJB) Resources

This tutorial describes how to secure Enterprise JavaBean (EJB) resources by using the Administration Console. It includes step-by-step procedures for creating scoped roles and security policies at various levels in the EJB resource hierarchy.

WARNING: This tutorial does not mimic the security configuration of the out-of-the-box MedRec application. Rather, it walks you through a series of steps that secure different levels of EJBs. After each step, you attempt to access the EJB resource to see the effect of implementing the security policy. It does not necessarily reflect a real-life scenario; the procedures just show you what is possible. At the end of the tutorial consider deleting the security policies you created so that the application returns to its correct security configuration. The configured security policies actually interfere with the correct functioning of the MedRec application.

The tutorial includes the following sections:

 

Prerequisites

Before starting this tutorial:

 

Procedure

To secure Enterprise JavaBean (EJB) resources by using the Administration Console:

Step 1: Create scoped roles and grant the scoped roles to groups.

  1. In the left Domain Structure pane of the Administration Console, click MedRecDomainArrow symbolDeployments.
  2. In the Deployments table in the left pane, expand medrecEar.
  3. Under the Modules category, click the sessionEjbs EJB module.
  4. Select the SecurityArrow symbolRoles tab.

    5. This page displays all the scoped roles currently defined in the WebLogic Role Mapping provider's database.

    Selecting this option enables you to create a security role that is scoped to this particular EJB JAR. Thereafter, the scoped role can be used in a security policy for this EJB JAR.

  5. Click New.
  6. In the Name field, enter MedRecSessionEJBPatient.
  7. Do not change the default value of the Provider Name field.
  8. Click OK.
  9. In the EJB Module Roles table, click MedRecSessionEJBPatient.
  10. In the Role Conditions section, click Add Conditions.
  11. In the Predicate List drop-down list box, select Group.
  12. Click Next.
  13. In the Role Argument Name field, enter MedRecPatients.
    14. Note: You created the MedRecPatients group as part of Tutorial 16: Creating Users, Groups, and Global Security Roles. Recall that user larry@bball.com is the only user in this group.
  14. Click Add.
  15. Click Finish.
  16. Click Save.

    17. The Role Conditions sections includes the entry Group MedRecPatients.

  17. Repeat steps 1- 16 to create the scoped role named MedRecSessionEJBAdmin and grant this scoped role to the MedRecAdmins group.
    18. Note: You created the MedRecAdmins group as part of Tutorial 16: Creating Users, Groups, and Global Security Roles. Recall that user admin@avitek.com is the only user in this group.

Step 2: Secure the sessionEjbs JAR.

  1. In the left Domain Structure pane of the Administration Console, click MedRecDomainArrow symbolDeployments.
  2. In the Deployments table in the left pane, expand medrecEar.
  3. Under the Modules category, click the sessionEjbs EJB module.
  4. Select the SecurityArrow symbolPolicies tab.

    5. From this page you can create a security policy at the EJB JAR level, which includes all EJBs within the JAR, and all methods within those EJBs.

  5. Click Add Conditions.
  6. In the Predicate List drop-down list, select Role.
  7. Click Next.
  8. In the Role Argument Name field, enter MedRecSessionEJBPatient.
  9. Click Add.
  10. Click Finish.
  11. Click Save.

    12. The Policy Conditions section includes the entry Role MedRecSessionEJBPatient.

    The Overwritten Policy section includes the entry Group everyone.

    By defining this security policy for the sessionEjbs JAR, you are overriding any security policies that have already been defined for the EJB resource type. For example, if you had previously specified that the entire medrecEar application can be accessed only by the MedRecAdmin role, then the Overwritten Policy section would include the text Role MedRecAdmin.

    However, in this case you are only overwriting the default security policy (Group everyone).

    For more information about default security policies, see Default Security Policies in Securing WebLogic Resources.

Step 3: Attempt to access an EJB in the SessionEJB JAR.

  1. Open a new Web browser and type http://host:7101/admin, where host refers to the computer hosting MedRecServer. If your browser is on the same computer, then you can use the URL http://localhost:7101/admin.
  2. In the User Name field, type admin@avitek.com, and in the Password field, type weblogic, then click Login.

    3. Remember that in Tutorial 17: Securing URL (Web) Resources Using the Administration Console, you granted the MedRecAdmin role permission to access the admin Web Application. Because admin@avitek.com has been assigned the MedRecAdmin role (via the MedRecAdmins group), the admin@avitek.com user is thus allowed to log in to the admin Web Application.

  3. On the Administration Tasks page, click the View Pending Requests link.

    4. The browser returns the following error: 

    [EJB:010160]Security Violation: User: 'admin@avitek.com' has insufficient permission to access EJB: type=<ejb>, application=medrecEar, module=sessionEjbs, ejb=AdminSessionEJB, method=findNewUsers, methodInterface=Remote, signature={}.

    The error is displayed because access to the findNewUsers() method in AdminSessionEJB, an EJB within the sessionEjbs JAR you previously secured, is needed to view pending requests. User admin@avitek.com is not granted the MedRecSessionEJBPatient scoped role that was used to create the security policy, and therefore is not granted access.

Step 4: Secure the AdminSessionEJB.

  1. In the left Domain Structure pane of the Administration Console, click MedRecDomainArrow symbolDeployments.
  2. In the Deployments table in the left pane, expand medrecEar.
  3. Under the EJBs category, click the AdminSessionEJB EJB module.
  4. Select the SecurityArrow symbolPolicies tab.

    5. From this page you can create a security policy for the specified EJB, either at the EJB level (meaning the security policy will apply to all methods within the EJB), or a particular method within the EJB.

  5. In the EJB Component Methods drop-down list, ensure that the default ALL is selected.
  6. Click Add Conditions.
  7. In the Predicate List drop-down list, select Role.
  8. Click Next.
  9. In the Role Argument Name field, enter MedRecSessionEJBAdmin.
  10. Click Add.
  11. Click Finish.
  12. Click Save.

    13. The Policy Conditions section includes the entry Role MedRecSessionEJBAdmin.

    The Overwritten Policy section includes the entry Role MedRecSessionEJBPatient.

    By defining this security policy for AdminSessionEJB, you are overriding the security policy that has already been defined for the EJB JAR in Step 2: Secure the sessionEjbs JAR. Specifically, you are overriding the inherited policy statement of Role MedRecSessionEJBPatient.

Step 5: Attempt to access AdminSessionEJB.

Repeat steps 1 - 3 in Step 3: Attempt to access an EJB in the SessionEJB JAR..

Instead of displaying the error page, the browser now displays the list of pending requests.

This result occurs because user admin@avitek.com has been granted the MedRecEJBSessionAdmin scoped role. This scoped role was used to create the security policy for AdminSessionEJB, the EJB containing the findNewUsers() method that is needed to view pending requests.

Step 6: Secure the findNewUsers() EJB method.

  1. In the left Domain Structure pane of the Administration Console, click MedRecDomainArrow symbolDeployments.
  2. In the Deployments table in the left pane, expand medrecEar.
  3. Under the EJBs category, click the AdminSessionEJB EJB module.
  4. Select the SecurityArrow symbolPolicies tab.

    5. From this page you can create a security policy for the specified EJB, either at the EJB level (meaning the security policy will apply to all methods within the EJB), or a particular method within the EJB.

  5. Using the EJB Component Methods drop-down list, select findNewUsers() - REMOTE.
  6. Click Add Conditions.
  7. In the Predicate List drop-down list, select Role.
  8. Click Next.
  9. In the Role Argument Name field, enter MedRecSessionEJBPatient.

    10. You defined this scoped role on SessionEJB, but because the findNewUsers() method is a component of AdminSessionEJB (itself a component of SessionEJB), you can also use it here.

  10. Click Add.
  11. Click Finish.
  12. Click Save.

    13. The Policy Conditions section includes the entry Role MedRecSessionEJBPatient.

    The Overwritten Policy section includes the entry Role MedRecSessionEJBAdmin.

    By defining this security policy on the findNewUsers() method, you are overriding the security policy that has already been defined for AdminSessionEJB in Step 4: Secure the AdminSessionEJB.. Specifically, you are overriding the inherited policy statement of Role MedRecSessionEJBAdmin that is shown when ALL is selected from the EJB Component Methods drop-down list.

Step 7: Attempt to access the findNewUsers() EJB method.

Repeat steps 1 - 3 in Step 3: Attempt to access an EJB in the SessionEJB JAR..

The browser displays an error page. This result occurs because only users granted the scoped role MedRecSessionEJBPatient can access the findNewUsers() method, which is needed to view pending requests. User admin@avitek.com is not granted the scoped role that was used to create the security policy, and therefore is not granted access.

Step 8: Optionally, remove the EJB security policies.

The security policies configured in this tutorial do not mimic the out-of-the-box security configuration of the MedRec application, but rather, simply provide examples of how you can secure EJB policies if you choose to do so in your own applications. The configured security policies actually interfere with the correct functioning of the MedRec application, so if you want to run the application without problems, you should remove the security policies as described in the following procedure.

  1. In the left Domain Structure pane of the Administration Console, click MedRecDomainArrow symbolDeployments.
  2. In the Deployments table in the left pane, expand medrecEar.
  3. Under the Modules category, click the sessionEjbs EJB module.
  4. Select the SecurityArrow symbolPolicies tab.
  5. In the Policies Conditions table, check Role MedRecSessionEJBPatient.
  6. Click Remove.
  7. Click Save.
  8. In the left pane, click MedRecDomainArrow symbolDeployments.
  9. In the Deployments table in the right pane, navigate to the AdminSessionEJB EJB module of the medrecEar application.
  10. Select the SecurityArrow symbolPolicies tab.
  11. In the EJB Component Methods drop-down list, select ALL.
  12. In the Policy Conditions table, check Role MedRecSessionAdmin.
  13. Click Remove.
  14. Click Save.
  15. In the EJB Component Methods drop-down list, select findNewUsers() - REMOTE.
  16. In the Policy Conditions table, check Role MedRecSessionEJBPatient.
  17. Click Remove.
  18. Click Save.

 

Best Practices

 

The Big Picture

This tutorial shows you how to secure application and various Enterprise JavaBean (EJB) resources. The examples here do not reflect the security configuration of the out-of-the-box MedRec application. However, the full MedRec application uses these same principles (as well as programmatic security) to secure EJB resources for both MedRec administrators and patients.

 

Related Reading


  Back to Top       Previous  Next