RSS

Weblogic EJB security roles

22 Feb

In my earlier blog I’ve mentioned the option for a Oracle Service Bus custom reporting provider and used a simple MDB to show the content of the report java objects. To make sure I have an example at my disposal at all time, and to help out in general: during deployment you might run into the next error/warning:

<Warning> <EJB> <BEA-010061> <The Message-Driven EJB: QueueMessageDrivenEJBBean is unable to  connect to the JMS destination: wli/reporting/jmsprovider/queue. The Error was: javax.naming.NoPermissionException: User <anonymous> does not have permission on wli.reporting to perform lookup operation.

The reason for this is the fact that your EJB wants to connect to the queue wli/reporting/jmsprovider/queue where unauthorised access is prohibited. If we check the queues security policy (select queue -> security -> policies) we can see that only 2 roles have authorisation:

So we can change the policy on the queue (not to be advised) or make sure our EJB uses proper authentication. The most basic version could be:

basic weblogic-ejb-jar.xml


<?xml version="1.0" encoding="UTF-8"?>
<!--weblogic-version:10.3.5-->
<wls:weblogic-ejb-jar xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-ejb-jar" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-ejb-jar http://xmlns.oracle.com/weblogic/weblogic-ejb-jar/1.2/weblogic-ejb-jar.xsd">

<!-- this 1st segment is not necessary, if no run-as-principal-name is specified in
 run-as-role-assignment or in bean specific run-as-principal-name tag, then EJB container
 chooses first principal-name in the security-role-assignment below and uses that
 principal-name as run-as-principal-name -->
 <wls:weblogic-enterprise-bean>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:run-as-principal-name>weblogic</wls:run-as-principal-name>
 </wls:weblogic-enterprise-bean>

<wls:security-role-assignment>
 <wls:role-name>adminsEJB</wls:role-name>
 <wls:principal-name>weblogic</wls:principal-name>
 </wls:security-role-assignment>
</wls:weblogic-ejb-jar>

basic ejb-jar.xml


<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" version="3.0">
<display-name>CustomOsbReportProvider </display-name>

<enterprise-beans>
 <message-driven>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <ejb-class>nl.rubix.CustomOsbReportHandler</ejb-class>
 <transaction-type>Container</transaction-type>
 <security-identity>
 <run-as>
 <description>EJB role used</description>
 <role-name>adminsEJB</role-name>
 </run-as>
 </security-identity>
 </message-driven>
 </enterprise-beans>

<ejb-client-jar>CustomOsbReportProviderClient.jar</ejb-client-jar>
</ejb-jar>

However with the help of the original JMSReportingProvider.jar it’s fairly easy to create a more elegant version:

deluxe weblogic-ejb-jar.xml

</pre>
<wls:weblogic-ejb-jar xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-ejb-jar" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-ejb-jar http://xmlns.oracle.com/weblogic/weblogic-ejb-jar/1.2/weblogic-ejb-jar.xsd">
 <!--weblogic-version:10.3.5-->

<wls:weblogic-enterprise-bean>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:message-driven-descriptor>
 <wls:pool>
 <wls:max-beans-in-free-pool>100</wls:max-beans-in-free-pool>
 <wls:initial-beans-in-free-pool>3</wls:initial-beans-in-free-pool>
 </wls:pool>
 <wls:destination-jndi-name>wli.reporting.jmsprovider.queue</wls:destination-jndi-name>
 <wls:max-messages-in-transaction>5</wls:max-messages-in-transaction>
 </wls:message-driven-descriptor>
 <wls:transaction-descriptor>
 <wls:trans-timeout-seconds>600</wls:trans-timeout-seconds>
 </wls:transaction-descriptor>
 <wls:run-as-principal-name>alsb-system-user</wls:run-as-principal-name>
 </wls:weblogic-enterprise-bean>

<wls:transaction-isolation>
 <wls:isolation-level>TransactionReadCommitted</wls:isolation-level>
 <wls:method>
 <wls:description>Ensure the container starts a ReadCommitted transaction</wls:description>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:method-name>*</wls:method-name>
 </wls:method>
 </wls:transaction-isolation>
 <wls:disable-warning>BEA-010001</wls:disable-warning>

</wls:weblogic-ejb-jar>
<pre>

deluxe ejb-jar.xml


</pre>
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" version="3.0">
 <display-name>CustomOsbReportProvider </display-name>
 <enterprise-beans>
 <message-driven>
 <description>Custom Reporting Provider for OSB</description>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <ejb-class>nl.rubix.CustomOsbReportHandler</ejb-class>
 <transaction-type>Container</transaction-type>
 <message-destination-type>javax.jms.Queue</message-destination-type>
 <activation-config>
 <activation-config-property>
 <activation-config-property-name>acknowledgeMode</activation-config-property-name>
 <activation-config-property-value>Auto-acknowledge</activation-config-property-value>
 </activation-config-property>
 </activation-config>
 <security-identity>
 <run-as>
 <description>EJB role used</description>
 <role-name>ALSBSystem</role-name>
 </run-as>
 </security-identity>
 </message-driven>
 </enterprise-beans>

 <assembly-descriptor>
 <container-transaction>
 <method>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <method-name>*</method-name>
 </method>
 <trans-attribute>Required</trans-attribute>
 </container-transaction>
 </assembly-descriptor>

 <ejb-client-jar>CustomOsbReportProviderClient.jar</ejb-client-jar>
</ejb-jar>
<pre>

References:

About these ads
 
Leave a comment

Posted by on 22-02-2012 in Weblogic

 

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 342 other followers

%d bloggers like this: