users@glassfish.java.net

how to secure JNDI lookups in Glassfish application server

From: legolas wood <legolas.w_at_gmail.com>
Date: Tue, 09 Jan 2007 10:36:00 +0330

Hi, Its second time that i post this message with hope that i find some
answer to this.

we have an application running on glassfish and it is exposed to
internet because we have some web services , some swing client and some
non-java client.
as you know we can lookup the server JNDI from a remote client if we
have the ip address and port of the server.
we need to let this port open to outside because our swing client need
to perform some lookups.

what make me worry is security of our system, because any one can try
and lookup into our JNDI.

is there any way to do some authentication before allowing any one to
perform lookup?
for example passing some user/password with initialContext() properties?


thanks

To make sure that i explained correctly, here is what OC4j provides for
securing the JNDI lookup (remote method invocation)


Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"oracle.j2ee.rmi.RMIInitialContextFactory");
env.put(Context.SECURITY_PRINCIPAL, "jazn.com/admin");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(Context.PROVIDER_URL,"opmn:ormi://<hostname>:oc4j_inst1/ejbsamples");

Context context = new InitialContext(env);


as you see we can pass a jazen user/password to make sure that one who try to initiate a context is a valid entity.
here is the link to oracle document about this.
http://download-uk.oracle.com/docs/cd/B31017_01/web.1013/b28958/rmi.htm#BABDHCAB