Is it possible to implement J2EE security roles for a Gen 8.6 EJB/EJB Web Service deployed in WebSphere 9.0.5?
For deployed Gen EJBs the expected Detail Properties option "Security role to user/group mapping" is not visible/missing, so do Gen EJBs not support J2EE role-based security?
WebSphere Application Server 9.0.5 doc. page references:
Security role references in web applications
Security role to user or group mapping
Gen 8.6 EJB EAR files
WebSphere Application Server 9.0.5
Support checked their example Gen EJB deployments on WebSphere 9.0.5.10 and for Detail Properties, the option "Security role to user/group mapping" is always missing.
Gen EJB EAR files have XML descriptor files (e.g. ejb-jar.xml) that do not contain security role tags to enable securing of the EJBs on the deployed Application Server (J2EE authorization). That explains why the option "Security role to user/group mapping" is not visible.
Gen Engineering confirmed that there is currently no support for adding security role information into the Gen EAR XML descriptor file.
The only option would be to manually modify the XML descriptor within the EAR file to provide the required security roles.
Potentially the relevant Build Tool Assemble script in the directory "%Gen86%\Gen\bt\scripts" could be customized to automate that process.
NOTE:
This is only valid when using EJBRMI communications where the EJBRMISecurityExit and the EJBRMIContextExit user exits are both called prior to the EJB starting.
However that does not occur when using Web Services communication to an EJB Web Service. For all communication types, the EJBRMISecurityExit is called again after the EJB has started but that is too late for the Web Services option.
If this feature is considered important for Gen to do out of the box, then the advice would be to create an Idea on the Ideas Community (Category=Gen) to request an enhancement for Gen. That Idea could then be voted on by other Gen users.
If using EJBRMI as the communications middleware i.e. Gen Java client to Gen Java server EJB, it is also possible to use the EJBRMI user exits to enable J2EE security:
EJBRMIContextExit - Web Generation EJB RMI Context Exit
EJBRMISecurityExit - Web Generation EJB RMI Security Exit
===
In J2EE security access to a specific EJB is controlled by the Principal/Credential supplied by the client (initially provided by the manager of the server.)
The context of an EJB is a set of properties that are provided at runtime. Method System.getProperty("NAME") looks up a property NAME on the system properties list.
If it returns null or blank, that indicates that those properties have not been defined or have no value.
The spelling of the property names is important only because it matches whatever properties have been defined for the application server.
The Gen runtime invokes EJBRMIContextExit before creating an initial context for the EJB instance. It contains example code for property names "SECURITY_PRINCIPAL" and "SECURITY_CRENDENTIALS".
The EJBRMISecurityExit is called after the InitialContext() is established.
These exits are available on both client and server side, so values can be set on the client side and retrieved on the server side.
The EJBRMISecurityExit shows how the user id and password might be incorporated into the runtime object, to be available for the server to verify. It might be required to translate specific userid/passwords at the client level into roles that could be used with standard J2EE security.
===
If the Java server has been generated with TP Monitor = "EJB Web Services" rather just "EJB" then it is possible to call the EJB as a web service for which there are currently 2 options: