The Resource method that uses the injected remote interface "NodeRemote"
is:
@EJB private NodeRemote nodeRemote;
@GET @Path("/nodeRemote")
@Produces("text/plain")
public String doNodeRemote() {
String msg = null;
int count = 0;
try {
mil.cnodb.persistence.Node exampleNode = new
mil.cnodb.persistence.Node();
exampleNode.setNodeTypeGeneral("DEVICE");
count = nodeRemote.countByExample(exampleNode);
msg = String.format("Nodes with Device: %d",
count);
}
catch (CdalAccessException cae) {
msg = new String("Access Exception: " +
cae.getMessage());
}
catch (Exception e) {
msg = new String("Exception: " +
e.getMessage());
}
return msg;
}
The bean that implements NodeRemote has an interceptor that pulls the
security principal string from the javax.ejb.SecurityContext and does
some functional level permission checking based on the specific method
that is called. It appears that even though I specify a particular
principal/credential (weblogic/weblogic) in the creation of the
initialContext, the
javax.ejb.SecurityContext.getCallerPrincipal().toString() returns the
javax.ws.rs.core.SecurityContext.getUserPrincipal() value which I guess
is due to the deferrence to HttpServletRequest.getUserPrincipal.
I haven't gotten to certificate or credential-based JAX-RS services yet
to my resources are open to anonymous. I'd like to be able to specify
either a cert or principal/credential to be passed in the HTTP message
to my resource and pass that information to the context of an EJB
connection.
--mark
-----Original Message-----
From: Paul.Sandoz_at_Sun.Com [mailto:Paul.Sandoz_at_Sun.Com]
Sent: Wednesday, January 28, 2009 10:04 AM
Subject: RE: Comment: @EJB injection
Paul Sandoz wrote:
Hi Mark,
When using Servlet, Jersey implements the
SecurityContext.getUserPrincipal by deferring to
HttpServletRequest.getUserPrincipal.
However, Jersey does nothing with the java.security.Principal. Just as
if you wrote a simple servlet to do the same thing with InitialContext.
Perhaps there is some configuration missing in the web.xml?
Have you tried a very simple application using a basic servlet to see if
you can reproduce it?
Paul.
P.S. it might be easier to discuss further on users_at_jersey.dev.java.net.
----
Respond to this comment at:
http://blogs.sun.com/sandoz/entry/ejb_injection#comments
mark rabick wrote:
I've implemented domenico's modified code and I'm having trouble getting
the appropriate principal for an explicit connection to an EJB. I
modified the code slightly:
Properties props = new Properties();
props.put(Context.SECURITY_PRINCIPAL,
"weblogic");
props.put(Context.SECURITY_CREDENTIALS,
"weblogic");
Context ic = new InitialContext(props);
for (Object o : ic.getEnvironment().keySet()) {
String s = String.format("ENV
key=%s val=%s", o.toString(), ic.getEnvironment().get(o));
System.out.println(s);
}
String simpleName = c.getSimpleName();
System.out.println("Looking up: " +
simpleName);
final Object o = ic.lookup(simpleName);
The System.out.println of the context's env is:
ENV key=java.naming.factory.initial
val=weblogic.jndi.WLInitialContextFactory
ENV key=java.naming.factory.url.pkgs
val=weblogic.jndi.factories:weblogic.corba.j2ee.naming.url:weblogic.jndi
.factories:weblogic.corba.j2ee.naming.url
ENV key=java.naming.security.principal val=weblogic ENV
key=java.naming.security.credentials val=weblogic
but when I execute a remote method that checks the principal for
appropriate permissions, it indicates that the principal is
"<anonymous>" even though the context indicates
otherwise. Does Jersey currently use the
javax.ws.rs.core.SecurityContext java.security.Principal returned from
the getUserPrincipal method?