From time to time we get complaints from partners and customers that OC4J do not support anonymous EJB lookup and execution of EJB methods. This means you do not specify the principal and credential when creating the InitialContext. For example, if you are trying to lookup a remote EJB in OC4J your jndi.properties will look like follows:
java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
java.naming.provider.url=ormi://localhost:23791/ejb30slsb
java.naming.security.principal=
java.naming.security.credentials=
In my opinion security is a practice that starts during development and I view this as a big security hole in the applications because you are leaving your EJBs in “ejb30slsb” applications to be executed by anyone and I will advise against doing this.
Anyway many of us do not care until we are bitten and want to use anonymous EJB lookup because they do not care and have been doing this for years in some other application servers and want to continue the bad practice in OC4J. We have been looking at this for years and not implementing because our security practice would not allow such an implementation to be available out of the box.
However for those folks, who do not care for securing their EJBs, we provide a solution to configure OC4J to allow anonymous EJB lookup and I tried this in OC4J 10.1.3 and it works great. Here are the steps you have to do:
- Assign anonymous user in config/jazn-data.xml to a more privileged role/group that has RMI permissions
<role>
<name>users</name>
<member>
<type>user</type>
<name>anonymous</name>
</member>
</members>
</role>
2. Make sure that group/role has name space access to that applications and permissions to execute EJB methods. Provided users role to access to the EJB by specifying the following in orion-application.xml packaged in the EAR.
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="<jndi-user-role>">
<group name="administrators" />
<group name="users" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="<jndi-user-role>">
<group name="administrators" />
<group name="users" />
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
Now you should be able to access remote EJBs without specifying principals and credentials making your EJBs free for all.
THINK twice before you do this!
7:11:51 AM 
|
