Referencing EJBs through CORBA
Remote EJBs exposed through CORBA are referenced by creating a Client Security Service (CSS) and configuring the EJB reference to use that CSS.
Creating a Client Security Service (CSS)
Creating a Client Security Service is done by using XML embedded in an org.apache.geronimo.corba.CSSBean GBean definition as cssConfig attribute. This GBean can be added to any deployment plan. You can create this XML by using an XML editor or a simple text editor. The schema diagram for this XML is as follows:
The following are the child elements of cssConfig:
description: A standard Java EE description with a lang attribute.
compoundSecMechTypeList: A list of one or more compoundSecMech elements. The target EJB must use one of the methods configured here by using compoundSecMech child elements, or else the connection will fail. This element has an attribute stateful, which, when set to true, will cache the security information provided by the caller on the server to avoid additional overhead on each call.
compoundSecMech: Configures the authentication and identification strategies supported by this CSS. Each element of this type holds a single configuration. The target EJB must support the security information provided by one of these configurations in order for the communication to proceed.
The schema diagram of compoundSecMech is as follows:
SSL
The SSL block is used to configure a CORBA client to communicate with the server over SSL. The following are the attributes of the SSL element:
The following are the child elements under the SSL element:
supports: Lists the security properties that this SSL connection will support. Common values are Integrity, Confidentiality, EstablishTrustInTarget, and EstablishTrustInClient. Other possible values include DetectReplay and DetectMisordering. Multiple values can be specified, separated by spaces.
requires: Lists security properties that this SSL connection will require. Common values are Integrity, Confidentiality, EstablishTrustInTarget, and EstablishTrustInClient. Other possible values include DetectReplay and DetectMisordering. Multiple values can be specified, separated by spaces.
trustGroup: Not currently used. This is used to automatically configure clients or hosts that Geronimo trusts.
The following is an explanation of the various values used by the supports and requires elements:
Integrity: The data should not be altered by a third party during communication.
Confidentiality: The data should not be observed by a third party during communication.
EstablishTrustInTarget: The target (server or EJB) should prove its authenticity to the client (for example, by providing a valid digital certificate)
EstablishTrustInClient: The client should prove its authenticity to the server. This option is used to obtain the client's digital certificates.
DetectReplay: The server should detect if a third party replays some previous traffic from the client.
DetectMisordering: The server should detect if traffic from the client arrives out of order.
Authentication mechanism
By using the GSSUPStatic and GSSUPDynamic elements, a CORBA client can provide authentication information to the remote server, which will end up executing a login on the server side to decide whether to permit access to the remote EJB.
GSSUPStatic: This indicates that all of the callers will use a specific configured username and password to authenticate to the remote service. The username attribute specifies the username. The password attribute specifies the password. The domain attribute specifies a security realm against which the username and password will be used to authenticate.
GSSUPDynamic: This indicates that the caller will pass its own username and password to the remote CORBA server. The domain-name attribute specifies the name of the security realm to authenticate against. Because the credentials are to be stored in the subject, the security realm needs a special configuration setting of NamedUsernamePasswordCredentialLoginModule, with the credential name set to the same as that of the domain-name.
The login-module configuration of a sample security realm needed to support GSSUPDynamic is as follows:
<xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/ xml/ns/loginconfig-2.0"> <log:login-module control-flag="REQUIRED" wrap- principals="false"> <log:login-domain-name>packt-properties-realm </log:login-domain-name> <log:login-module-class>org.apache.geronimo. security.realm.providers.PropertiesFileLoginModule </log:login-module-class> <log:option name="usersURI">var/security/packt- users.properties </log:option> <log:option name="groupsURI">var/security/packt- groups.properties</log:option> </log:login-module> <log:login-module control-flag="OPTIONAL" wrap- principals="false"> <log:login-domain-name>packt-properties-realm- NamedUPC </log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.NamedUsernamePasswordCredentialLoginModule </log:login-module-class> <log:option name="Name">packt-properties-realm </log:option> </log:login-module> </log:login-config> </xml-reference>
Notice that the NamedUsernamePasswordCredentialLoginModule is configured with the credential name packt-properties-realm.
Identity tokens
The schema diagram of sasMech is as follows:
The various identity tokens, and what their presence indicates, is as follows:
ITTAbsent: The client will not send any identification information to the server.
ITTAnonymous: The client will send an identification token, asserting that it is anonymous.
ITTPrincipalNameStatic: The client always sends a fixed principal name to the remote CORBA service, irrespective of the user who is locally executing the CORBA client. The name attribute specifies the principal name to be sent, and the oid attribute specifies the OID to be sent along with the principal name. The default value for OID is 2.23.130.1.1.1.
ITTPrincipalNameDynamic: The client sends the name of a principal in the current user's Subject to the remote CORBA service. The principal-class attribute specifies the fully-qualified name of a Java principal class that should be looked for in the current user's Subject. If the domain attribute is specified, then advanced role mapping must be enabled for the security realm that handles this user's login. A principal will only count if it is of the correct class and came from a login domain with this name. If the realm attribute is specified, then advanced role mapping must be enabled for the security realm that handles this user's login, and a principal will only count if it is of the correct class and came from a security realm with this name. The oid attribute specifies the OID to be sent along with the principal. The default value for OID is 2.23.130.1.1.1.
Configuring the EJB reference to use CSS
A web application or an EJB can declare a reference to a remote EJB by using the ejb-ref element in web.xml and ejb-jar.xml. Such a reference to a CORBA EJB should use the EJB's remote interfaces. The following is a sample EJB reference in a web application:
<ejb-ref> <ejb-ref-name>ejb/MyCorbaService</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>simple.ejb21.MyServiceHome</home> <remote>simple.ejb21.MyService</remote> </ejb-ref>
This EJB reference is then mapped to a CORBA EJB in the deployment plan of the web or EJB application. The ns-corbaloc and name child elements of ejb-ref element in the deployment plan configure the CORBA EJB. The css-link child element under ejb-ref element in the deployment plan links the specific CSS GBean to be used by that EJB reference.
Sample web application accessing CORBA EJBs
The sample web application configures an EJB reference ejb/MyCorbaService to invoke the MySessionBean EJB that is exposed through CORBA by the EJB sample from a previous section. We will now go through the various steps involved in referencing a CORBA EJB.
Sample CSS
The following is a CSS that uses no SSL and no authentication:
<dep:gbean name="NoSecurity" class="org.apache.geronimo.corba.CSSBeanGBean" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <dep:reference name="TransactionManager"> <dep:name>TransactionManager</dep:name> </dep:reference> <dep:reference name="ConfigAdapter"> <dep:name>ORBConfigAdapter</dep:name> </dep:reference> <dep:attribute name="description">NoSecurity</dep:attribute> <dep:xml-attribute name="cssConfig"> <css:css xmlns:css="http://openejb.apache.org/xml/ns/corba- css-config-2.1"> <css:compoundSecMechTypeList> <css:compoundSecMech> <css:SSL> <css:supports>Integrity Confidentiality EstablishTrustInTarget EstablishTrustInClient</css:supports> <css:requires/> </css:SSL> </css:compoundSecMech> </css:compoundSecMechTypeList> </css:css> </dep:xml-attribute> </dep:gbean>
The following is a CSS that uses SSL, and logs in by using a preconfigured username and password with GSSUPStatic:
<dep:gbean name="SSLWithUsernamePassword" class="org.apache. geronimo.corba.CSSBean" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <dep:reference name="TransactionManager"> <dep:name>TransactionManager</dep:name> </dep:reference> <dep:reference name="ConfigAdapter"> <dep:name>ORBConfigAdapter</dep:name> </dep:reference> <dep:reference name="SSLConfig"> <dep:name>CORBASSLConfig</dep:name> </dep:reference> <dep:attribute name="description">SSLWithUsernamePassword </dep:attribute> <dep:xml-attribute name="cssConfig"> <css:css xmlns:css="http://openejb.apache.org/xml/ns/corba- css-config-2.1"> <css:compoundSecMechTypeList> <css:compoundSecMech> <css:SSL> <css:supports>Integrity Confidentiality EstablishTrustInClient </css:supports> <css:requires>Integrity Confidentiality </css:requires> </css:SSL> <css:GSSUPStatic username="packtadmin" password="admin" domain="packt-properties-realm"/> <css:sasMech> <css:ITTAbsent/> </css:sasMech> </css:compoundSecMech> </css:compoundSecMechTypeList> </css:css> </dep:xml-attribute> </dep:gbean>
Configure the EJB reference similar to the following:
<nam:ejb-ref xmlns:nam="http://geronimo.apache.org/xml/ns/ naming-1.2"> <nam:ref-name>ejb/MyCorbaService</nam:ref-name> <nam:ns-corbaloc>corbaloc::localhost:1050/NameService </nam:ns-corbaloc> <nam:name>ejb/MySessionBean</nam:name> <nam:css-link>SSLWithUsernamePassword</nam:css-link> </nam:ejb-ref>
The following sample code shows how the EJB is invoked in a servlet:
MyService corbaService = null;
try {
InitialContext ic = new InitialContext();
temp = ic.lookup("java:comp/env/ejb/MyCorbaService");
corbaService = ((MyServiceHome) javax.rmi.PortableRemoteObject .narrow(temp, MyServiceHome.class)).create();
} catch (Exception ex) {
System.out.println("Couldn't lookup MyCorbaService bean. " + ex.getMessage());
}
corbaService.convertUSD2EURO(10.0);
Deploying and running the sample
Deploy the mycorbaejbwebapp-1.0.war provided in the samples by using either the Deploy New portlet or the command-line deployer. Access the link http://localhost:8080/mycorbaejbwebapp/securejsp?usd=20 . Log in by using the username packtuser1 and the default password user1. Notice that, in the console window, the output shows the convertUSD2EURO() method called three times. The first invocation with principal GeronimoUserPrincipal (packtuser1) is a local EJB invocation. The second invocation with principal GeronimoUserPrincipal (packtadmin) is a remote CORBA EJB invocation configured by GSSUPStatic, with the username packtadmin. The third invocation with GeronimoUserPrincipal (packtuser1) is a remote CORBA EJB invocation configured by GSSUPDynamic. Note that, we have configured packt-properties-realm to save the username and password in a private credential in the Subject, which is used to invoke the remote CORBA EJB when configured with GSSUPDynamic.