I have my business classes protected by EJB3 security annotations, now I would like to call these methods from a Spring controller, how do I do it?
edit I will add some information about my setup, I'm using Tomcat for the webcontainer and OpenEJB for embedding EJB into tomcat. I did not settle on any version of spring so it's more or less open to suggestions.
edit current setup works this way :
I have a login form + controller that puts a User
pojo inside SessionContext. Each time someone access a secured part of the site, the application checks for the User pojo, if it's there check roles and then show the page, if it's not show a appropriate message or redirect to login page. Now the bussiness calls are made thanks to a call method inside User
which bypass a probable security context which is a remix of this code found in openejb security examples :
Caller managerBean = (Caller) context.lookup("ManagerBeanLocal");
managerBean.call(new Callable() {
public Object call() throws Exception {
Movies movies = (Movies) context.lookup("MoviesLocal");
movies.addMovie(new Movie("Quentin Tarantino", "Reservoir Dogs", 1992));
movies.addMovie(new Movie("Joel Coen", "Fargo", 1996));
movies.addMovie(new Movie("Joel Coen", "The Big Lebowski", 1998));
List<Movie> list = movies.getMovies();
assertEquals("List.size()", 3, list.size());
for (Movie movie : list) {
movies.deleteMovie(movie);
}
assertEquals("Movies.getMovies()", 0, movies.getMovies().size());
return null;
}
});
Spring controller (or any servlet container component for that matter), with or with out spring-security, is seamlessly authenticated with EJB container depending on how you have configured servlet container. You have to check your servlet container's documentation on how to configure security context propagation or establish trust level with EJB container in run-as mode.
Please add more details of your configuration (EJB and servlet containers, versions, whether or not they are co-located, where authentication is happening etc.) to enable us to provide more details.
Edit Feb 20. Security Context Propagation
Assuming that you are getting context using no-args constructor as:
InitialContext context = new InitialContext();
You can be sure of the security propagation to OpenEJB. No other configuration is required. As soon as you lookup the bean using context, the security context (user and roles) are passed to EJB container.
So you have to just focus on security in tomcat. I haven't yet understood how have you configured tomcat. Can you show some more configuration of users, roles, realm etc in tomcat?
Edit Feb 20. Test on tomcat
Please see How to get user roles in a JSP / Servlet and first test in a JSP/Servlet to make sure that you are getting user principal and roles correctly. After this test is passed, you can test a security annotated EJB method to verify security propagation.