Deltaspike and @Stateless Bean

Question

Deltaspike and @Stateless Bean

I want to secure my "stateless" EJb with DeltaSpike-API.

@Stateless
@Remote(UserServiceRemote.class)
public class UserService implements UserServiceRemote

At the method level I have a custom annotation "Support"

@Support
public void doSomething() {}

So I wrote a custom annotation "@Support":

@Retention(value = RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD })
@Documented
@SecurityBindingType
public @interface Support {

My custom Authorizer looks like this:

@Secures
@Support
public boolean doAdminCheck(Identity identity, IdentityManager identityManager, RelationshipManager relationshipManager)
            throws Exception {      
    return hasRole(relationshipManager, identity.getAccount(), getRole(identityManager, "Support"));
}

In my beans.xml file, I have included:

<interceptors>
    <class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class>
</interceptors>

But after I register my application and call the doSomething method for remote invocation, the "Support" annotation is ignored, regardless of whether I have a role or not.

What am I doing wrong? Thanx for any suggestions !!!

+3

java security deltaspike ejb-3.1

user1651904 06 nov. 14 at 13:56

source to share

3 answers

Jan Galinski · Answer 1 · 2014-11-07T06:19:43+0000

Ejb and CDI are two different concepts. The stateless session bean and the CDI managed bean are managed by different containers. Therefore you cannot use Deltaspike on a stateless session bean. If you want to use deltaspike protection use a named bean and use a different delete strategy.

mszalinski · Answer 2 · 2015-09-07T20:30:27+0000

In my case, I had to make sure that the module (jar) containing the service that I wanted to protect with the annotation had a beans.xml file with the deltaspike interceptor (previously I only added the file to the protected module the code itself, which was a problem) ...

Also I found out that I had to decouple the business logic service from the SOAP endpoint declaration itself. This custom EJB @Stateles (or any other) service can be @ Inject-ed in SOAP and security annotations (@Support here) will work on it.

In my opinion, decoupling the endpoint declaration from the business code is a good design anyway, since we can have multiple interfaces referencing the same business logic. (and simpler unit test, etc.)

jpangamarca · Answer 3 · 2015-06-11T22:16:25+0000

Depending on the bean -discovery mode defined in beans.xml, your UserService might not be accessible from the CDI container. You should use "annotated" discovery mode and annotate your UserService with the dependent one.

Deltaspike and @Stateless Bean

More articles: