|
Replies:
7
-
Last Post:
Jun 4, 2008 12:26 PM
by: monzillo
|
|
|
|
|
|
|
Possible to include HTTP header information as part of RMI-IIOP?
Posted:
May 6, 2008 3:58 PM
|
|
|
Hello,
The project I'm working on is migrating some web services code to a stateless session EJB where RMI-IIOP is utilized. Is there a way to insert header information in the remote method invocation from the invoking ORB to the target ORB? In the GIOP header or something?
We would like to just pass a cookie value from a client tier running on glassfish to another instance of glassfish running services. We've also been dabbling w/ trying to pass the security context JAAS Subject w/o success. Identity propagation would be nice, but simply passing the cookie value would be sufficent.
Any suggestions from the community?
Thanks,
John
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
May 22, 2008 3:25 PM
in response to: da3m0npr0c3ss
|
 |
Helpful |
|
|
Yes, it is possible to do exactly what you want to do by adding a CORBA
ServiceContext to the GIOP request and response headers. The programmatic
API for this is called Portable Interceptors. Using it is a bit complicated, but here
are a few references (also easily found on Google):
There is a reasonable introduction in the article "CORBA meta-programming mechanisms"
by Doug Schmidt and Steve Vinoski at http://www.ddj.com/cpp/184403860
There is a fairly advanced and detailed tutorial (with example code) at
http://java.sun.com/j2se/1.4.2/docs/guide/idl/PI.html
Although this was written for JDK 1.4.2, there are no significant changes
in this area for JDK 5 or 6
Finally, if you need all of the details, the official specification chapter is available at:
http://www.omg.org/cgi-bin/doc?formal/01-02-57
This is actually chapter 21 of the official CORBA specification, also available at the
OMG as http://www.omg.org/cgi-bin/doc?formal/02-11-01 (this is version 3.0.1. A later
version is available, but the 3.0.1 version has the correct PI chapter in it).
I can provide more details if needed.
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
May 23, 2008 6:27 AM
in response to: da3m0npr0c3ss
|
|
Helpful |
|
|
All current EE containers are required to support identity progagation on ejb invocations originating in a web container. It sounds like you would like to propagate additional identity attributes. The underlying protocol, i.e. CSIv2, allows for inclusion of an authorization token in addition to the propagated identity token, but support for authorization token is not included in the corformance level that EE containers are required to support.
if you can modify your app topology such that the web and ejb tiers are in the same process, then we can factor out propagation on the wire, and the ejb tier will effectively see the security context as established by the web-tier. I realize this may not be possible, although it may be possible for you to forward requests from an external web-tier to an internal web-tier.
I believe the suggestions made by ken will provide you with a way to operate on the message headers at both ends of the dialog. If on the ejb side, you want to include the cookie in the container authentication identity; as applied in the ejb access decision, then you would need to find a way to interpret the headers in advance of the service ejb, and you would need to use the appropriate api' to effect the container authentication context.
you probably have already ruled out having your web tier component, extract the cookie, and pass it as an argument in the ejb invocation. In this case the cookie would be seen by the server side, after the ejb access decision, so as above you would probably need to have a gateway ejb (sort of like the gateway web-tier I suggest above) if you want the cookie to be set in the authentication identity applied in the container access decision prior to invoking the service ejb.
In a Glassfish container, another approach that *might* work, would be to configure a custom web-tier authentication module, such that the identity resulting form the webtier authentication and propagated within the identity token includes the cookie value. then, at the ejb container, you might then be able to configure a custom realm, that is able to decompose the token, and transform the cookie part into something like a group name.
this last approach will likely require deep knowledge of the token formats and the
way the glassfish infrastructure processes them, and may be difficult to support on other appservers.
Ron
bytw, configuring custom web tier authentication modules is something that is relatively easy to do in Glassfih
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
Jun 4, 2008 7:29 AM
in response to: monzillo
|
|
|
"All current EE containers are required to support identity propagation on ejb invocations originating in a web container. It sounds like you would like to propagate additional identity attributes."
Q: I am interested in propagating a "CWP session id" (a String of decent size) on ejb invocations originating in a web container. Is this "CWP session id" something you would consider an additional identity attribute ? OR it is something can be included as part of the identity propagation supported by all current EE containers ?
Thanks,
Ming
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
Jun 4, 2008 9:40 AM
in response to: ming_chan
|
|
|
> "All current EE containers are required to support
> identity propagation on ejb invocations originating
> in a web container. It sounds like you would like to
> propagate additional identity attributes."
I think it will be difficult to come up with a solution that will
work it all containers. I think doing so will require that you write
some container specific glue code.
do you require a portable solution?
> Q: I am interested in propagating a "CWP session id"
> (a String of decent size) on ejb invocations
> originating in a web container. Is this "CWP session
> id" something you would consider an additional
> identity attribute ? OR it is something can be
> included as part of the identity propagation
> supported by all current EE containers ?
>
I think the answer to both of your questions is yes, but on the second, although I think it could be included in the propagated identity, I don't think it will be easy to extend ejb containers such that they recognize and dereference the session id...so the practical answer to the second is no (imo).
Ron
Ron
> Thanks,
> Ming
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
Jun 4, 2008 10:42 AM
in response to: monzillo
|
|
|
Thanks for your reply Ron.
"Do you require a portable solution? "
Not at the beginning. Getting identity propagation on ejb invocations originating in a web container between two Glassfish (web/ejb) containers would be a great start.
thx,
Ming
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
Jun 4, 2008 12:26 PM
in response to: ming_chan
|
|
|
> Thanks for your reply Ron.
>
> "Do you require a portable solution? "
>
> Not at the beginning. Getting identity propagation on
> ejb invocations originating in a web container
> between two Glassfish (web/ejb) containers would be a
> great start.
>
must the web and ejb containers be executing in separate vms?
if so, would it be feasible to relay the web request through to a web container that is collocated with the ejb container?
as I mentioned previously, it may also be possible to include soem additional info in the propagated identity, and to deference this info in the realm at the ejb.
for that to work, I think we would also need to complete the fix for
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3873
we
> thx,
> Ming
|
|
|
|
|
|
|
|
|
Re: Possible to include HTTP header information as part of RMI-IIOP?
Posted:
Jun 4, 2008 8:24 AM
in response to: monzillo
|
|
|
Excellent. Thanks for the guidance.
John
|
|
|
|
|
java.net RSS
