Security demo

remote interface

public interface RISecurity extends javax.ejb.EJBObject {
  String open() throws java.rmi.RemoteException;
  String secret() throws java.rmi.RemoteException;
}

home interface

public interface HISecurity extends javax.ejb.EJBHome {
  RISecurity create() throws javax.ejb.CreateException, java.rmi.RemoteException;
}

bean implementation

public class SecurityBean implements javax.ejb.SessionBean {
  private javax.ejb.SessionContext context;

  // corresponds to HISecurity.create()
  public void ejbCreate() { System.out.println( "SecurityBean.ejbCreate" ); }

  // "business" interface from RISecurity
  String open() {
    System.out.print( "SecurityBean.open() - " );
    java.security.Principal p = context.getCallerPrincipal();
    System.out.print( "called by " + p.getName() );
    System.out.println( ", isInRole(CodedAdmin) "
          + context.isCallerInRole( "CodedAdmin" ) );
    return "SecurityBean.open()";
  }
  String secret() {
    System.out.print( "SecurityBean.secret() - " );
    java.security.Principal p = context.getCallerPrincipal();
    System.out.print( "called by " + p.getName() );
    System.out.println( ", isInRole(CodedAdmin) "
          + context.isCallerInRole( "CodedAdmin" ) );
    return "SecurityBean.secret()";
  }

  // "technical" interface from javax.ejb.SessionBean
  public void ejbActivate()  { System.out.println( "SecurityBean.ejbActivate" ); }
  public void ejbPassivate() { System.out.println( "SecurityBean.ejbPassivate" ); }
  public void ejbRemove()    { System.out.println( "SecurityBean.ejbRemove" ); }
  public void setSessionContext( javax.ejb.SessionContext ctx ) {
    System.out.println( "SecurityBean.setSessionContext" ); 
    context = ctx;
} }

servlet client

import javax.rmi.*;      // PortableRemoteObject.narrow(), NamingException
import javax.naming.*;   // InitialContext

public class SecurityServlet extends javax.servlet.http.HttpServlet {
  private RISecurity securityObject = null;

  public void doGet( javax.servlet.http.HttpServletRequest  request,
                     javax.servlet.http.HttpServletResponse response )
          throws java.io.IOException, javax.servlet.ServletException {

    System.out.println( "******************* doGet *******************" );
    if (securityObject == null) {
      try {
        InitialContext ic  = new InitialContext();
        Object         obj = ic.lookup( "SecurityHome" );
        HISecurity factoryObject = (HISecurity) PortableRemoteObject.narrow( obj, HISecurity.class );
        securityObject = factoryObject.create();
      } catch (Exception ex) { ex.printStackTrace(); }
    }
    java.io.PrintWriter out = response.getWriter();
    out.println( "<HTML><TITLE>Security Servlet</TITLE><BODY>" );
    out.println( "<h2>" + securityObject.open() + "</h2>" );
    out.println( "<h2>" + securityObject.secret() + "</h2>" );
    out.println( "</BODY></HTML>" );
    out.close();
  }
  public void doPost( javax.servlet.http.HttpServletRequest  request,
                      javax.servlet.http.HttpServletResponse response )
           throws java.io.IOException, javax.servlet.ServletException {

    System.out.println( "******************* doPost *******************" );
    doGet( request, response );
} }

/**
////////// USER - student, not authorized for secret() //////////

******************* doGet *******************
SecurityBean.open() - called by student, isInRole(CodedAdmin) false

SecurityBean.open()
Error: 500
Internal Servlet Error:
  java.rmi.RemoteException: Client not authorized for this invocation.


////////// ADMIN - vince, all methods enabled  //////////

******************* doGet *******************
SecurityBean.open() - called by vince, isInRole(CodedAdmin) true
SecurityBean.secret() - called by vince, isInRole(CodedAdmin) true

SecurityBean.open()
SecurityBean.secret()
**/

command line application client

import javax.rmi.*;      // PortableRemoteObject.narrow(), NamingException
import javax.naming.*;   // InitialContext

public class SecurityApplication {
  public static void main( String[] args ) {
    try {
      InitialContext ic  = new InitialContext();
      Object         obj = ic.lookup( "SecurityHome" );
      HISecurity factoryObject = (HISecurity) PortableRemoteObject.narrow( obj, HISecurity.class );
      RISecurity securityObject = factoryObject.create();
      System.out.println( securityObject.open() );
      System.out.println( securityObject.secret() );
    } catch (Exception ex) { ex.printStackTrace(); }
} }

/**
////////// before adding role ANYONE //////////

D:\j2eeDemos\security> java SecurityApplication
java.rmi.ServerException: RemoteException occurred in server thread;
  nested exception is:
    java.rmi.RemoteException: Client not authorized for this invocation.


////////// after adding role ANYONE - all methods enabled //////////

D:\j2eeDemos\security> java SecurityApplication
SecurityBean.open()
SecurityBean.secret()

SecurityBean.setSessionContext
SecurityBean.ejbCreate
SecurityBean.open() - called by guest, isInRole(CodedAdmin) false
SecurityBean.secret() - called by guest, isInRole(CodedAdmin) false


////////// after adding role ANYONE - secret() method disabled //////////

D:\j2eeDemos\security> java SecurityApplication
SecurityBean.open()
java.rmi.ServerException: RemoteException occurred in server thread;
  nested exception is:
    java.rmi.RemoteException: Client not authorized for this invocation.

SecurityBean.setSessionContext
SecurityBean.ejbCreate
SecurityBean.open() - called by guest, isInRole(CodedAdmin) false
**/