I am using httpinvoker in JBoss 4.0.4 (little old) for EJB invocations. Since there are so many clients that make calls to my server, I want to identify the clients for each call in server.
Is there a way to do this with JBoss httpinvoker?
I could imagine adding a header to identify my client in each HTTP request, but cannot find a way to add a header in httpinvoker.
Auditing builds on a name, and thus on an authentication scheme somehow.
Therefore I suggest using the standard client authentication infrastructure to solve your problem. This works for RMI as well (it's not bound to HTTP), and the user ID is even passed down into your EJBs.
Server
security-domain
(ejb.jar: META-INF/jboss.xml)application-policy
other which just theUsersRolesLoginModule
(conf/login-config.xml); this is the default policy, it's already configured.UsersRolesLoginModule
Client
javax.security.auth.callback.CallbackHandler
: This callback is used, when the authentication needs the user and the password.javax.security.auth.login.LoginContext
; pass the callback handler as the 2nd argument; calllogin()
on the instance of theLoginContext
InitialContext
-Djava.security.auth.login.config=.../jboss-4/client/auth.conf
when you start the clientThis way a user ID is passed from the client to the EJB (as part of the standard authentication process). Now, in the EJB methods, you can get the user ID by calling
getCallerPrincipal()
on theSessionContext
instance. I have tested this against JBoss 4.2.3Additional information: JBoss client authentication
Addendum 1:
Using RMI or HTTP, the password is not transported in a secure way. In this case just use a dummy password, this is OK for auditing.
On the other hand, if you use RMI over SSL or HttpInvoker over HTTPS, you could change to a real and secure authentication quickly.
Addendum 2:
I am not sure, if it works without defining roles. Possibly you have to
security-role-ref
for each EJB, andsecurity-role
andmethod-permission
in theassembly-descriptor
Update
As there is already a login module, there might be another possibility:
If you have the source code of the login module, you could possibly use another
TextCallback
to get additional information from the client (in your case a user ID). The information could be used to create a customPrincipal
. Within the EJB, the result ofgetCallerPrincipal()
could be cast to the custom principal.