:?:

my application is based on RCP + SessionBean + DAO,
and App Server is weblogic.

now I have some question about the remoting authentication and authorition. (should I use RmiProxyFactoryBean? and how to retrieve the GrantedAuthority[] about a valid user, and put the new Authentication(include GrantedAuthority[]) into SecurityContext? ...... many many question :oops: :oops:

Can anyone and Acegi Teams give me some advice about how to config the security system both client side and server side. the sample configuration is desirable.

I will appreciate it very much , thank you! :D

There is a package, net.sf.acegisecurity.providers.rcp, which provides everything you need. Basically your server-side has a bean exposed, RemoteAuthenticationManagerImpl:

public GrantedAuthority[] attemptAuthentication(String username,
String password) throws RemoteAuthenticationException;

This bean can receive a remote authentication request (via a standard remoting protocol such as Hessian) and will delegate to the server-side AuthenticationManager to determine if the authentication is valid, and if so, the GrantedAuthority[]s that apply to that user.

On the RCP side you use the RemoteAuthenticationProvider. It passes authentication requests to the server-side RemoteAuthenticationManagerImpl. For successful authentications, it builds an Authentication that can then be placed onto the client-side ContextHolder. Typically you'll use the details in that Authentication to setup the BASIC authentication headers of your remoting client proxies, and/or enable secured actions in the RCP project.

Check out the Petclinic RCP sample to see all of this in action.

thank Ben very much.

now I can authenticate whether a user is valid using Hessian protocol and retreive the GrantedAuthority[] of current user
from ContextHolder .

so there are two modules on my App Server(weblogic) ,one is WebService Module which exposes RemoteAuthenticationManager and
provides the authentication service for remoting client, the other is EJB module containing DAOs and a facade stateless
sessionBean which implements CommandHandler interface and is a entrance from client to business layer

I define a Security Interceptor(in EJB Module) to protect DAO business object(example as following: daoTarget)
......
<bean id="securityInterceptor" class="net.sf.acegisecurity.intercept.method.MethodSecuri tyInterceptor">
<property name="validateConfigAttributes"><value>false</value></property>
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
<property name="runAsManager"><ref bean="runAsManager"/></property>
<property name="objectDefinitionSource">
<value>
com.caec.amis.dao.basemn.BasedbmnDao.loadAll=ROLE_ TELLER
com.caec.amis.dao.basemn.BasedbmnDao.load=ROLE_TEL LER
com.caec.amis.dao.basemn.BasedbmnDao.update=ROLE_T ELLER
com.caec.amis.dao.basemn.BasedbmnDao.add=ROLE_SUPE RVISOR
com.caec.amis.dao.basemn.BasedbmnDao.delete=ROLE_S UPERVISOR
</value>
</property>
</bean>

<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNa meAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>securityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<value>daoTarget</value>
</list>
</property>
</bean>
......
Now, if a valid user sends a request to access remoting Stateless SessionBean and invoke the method defined in DAO, error is

coming: A valid SecureContext was not Provided in the RequestContext.

I want to know:
how to define SecurityInterceptor to protect my Business object? How to retrieve the GrantedAuthority[] in the client-side
ContextHolder on the weblogic.......should I pass the GrantedAuthority[] from client to server(EJB module) each request?
does authorization need Hessian?

sorry,I am a fresh man

You need your client to populate the Hessian client proxies with the username and password confirmed via RemoteAuthenticationManagerImpl. This will be presented to your server via BASIC authentication. On your server side you need it to handle the BASIC authentication by configuring the respective filter. See the Petclinic RCP for a full example (which uses this approach and contains a RemotingSecurityConfigurer class which does the client proxy configuration).

See the Petclinic RCP for a full example (which uses this approach and contains a RemotingSecurityConfigurer class which does the client proxy configuration).
Where can I find this sample? The Petclinic RCP?

Thanks :!:

Petclinic RCP lives within the Spring Rich Client project, which is a Spring sub-project. Spring Rich Client Project has its own CVS repository under http://sourceforge.net/projects/spring-rich-c/, so you'll need to checkout the code from there.

Ben, I'd like to ask a follow on question relating to this topic:

How do I go about implementing this if I'm not using HTTP based remoting. My current setup involves the client using SimpleRemoteStatelessSessionProxyFactoryBean objects to delegate services to an EJB layer just using a JNDI lookup. Right now we have no need to tunnel over HTTP.

What alternative to BASIC authentication can I use in this case?


There is a package, net.sf.acegisecurity.providers.rcp, which provides everything you need. Basically your server-side has a bean exposed, RemoteAuthenticationManagerImpl:

public GrantedAuthority[] attemptAuthentication(String username,
String password) throws RemoteAuthenticationException;

This bean can receive a remote authentication request (via a standard remoting protocol such as Hessian) and will delegate to the server-side AuthenticationManager to determine if the authentication is valid, and if so, the GrantedAuthority[]s that apply to that user.

On the RCP side you use the RemoteAuthenticationProvider. It passes authentication requests to the server-side RemoteAuthenticationManagerImpl. For successful authentications, it builds an Authentication that can then be placed onto the client-side ContextHolder. Typically you'll use the details in that Authentication to setup the BASIC authentication headers of your remoting client proxies, and/or enable secured actions in the RCP project.

Check out the Petclinic RCP sample to see all of this in action.

So you have a client and need to access a SLSB on a remote server? What do you want Acegi Security to secure (the EJB on the server)?

A few threads that might help:

http://forum.springframework.org/showthread.php?t=14161
http://forum.springframework.org/showthread.php?t=14549

So you have a client and need to access a SLSB on a remote server? What do you want Acegi Security to secure (the EJB on the server)?

A few threads that might help:

http://forum.springframework.org/showthread.php?t=14161
http://forum.springframework.org/showthread.php?t=14549

That's right, client -> SLSB on a remote server which I need to secure. Currently we're using SimpleRemoteStatelessSessionProxyFactoryBeans to provide access to the EJB services on the client.

ContextPropagatingRemoteInvocation looks useful and sounds like what I was in search of, but I cannot find any examples of its use. Can you point me to where I can see how it's set up in a Spring config file?

(When I search these forums for ContextPropagatingRemoteInvocation I get 0 results which is strange)

Hi all,


So you have a client and need to access a SLSB on a remote server? What do you want Acegi Security to secure (the EJB on the server)?

A few threads that might help:

http://forum.springframework.org/showthread.php?t=14161
http://forum.springframework.org/showthread.php?t=14549

That's right, client -> SLSB on a remote server which I need to secure. Currently we're using SimpleRemoteStatelessSessionProxyFactoryBeans to provide access to the EJB services on the client.

ContextPropagatingRemoteInvocation looks useful and sounds like what I was in search of, but I cannot find any examples of its use. Can you point me to where I can see how it's set up in a Spring config file?

(When I search these forums for ContextPropagatingRemoteInvocation I get 0 results which is strange)

I'm also using SimpleRemoteStatelessSessionProxyFactoryBeans and have quite the same problem:
- authentication on client side is OK (is fully done on client side)
- when issuing a remote call on my EJB, i get the following error:
net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: Authentication credentials were not found in the SecurityContext

(i guess it's the role of 'ContextPropagatingRemoteInvocation' to fill the SecurityContext on the server side using Authentication credentials acquired on client side)

Could you help me understand how it works?
Some examples?

Help would be greatly appreciated.
Johann

I've never used ContextPropagatingRemoteInvocation, but basically you'd use ContextPropagatingRemoteInvocationFactory on the client to generate your RemoteInvocation. On the server-side, the generated ContextPropagatingRemoteInvocation will have its invoke method called and this will automatically set the ContextHolder/SecurityContextHolder for the duration of the invocation.