The EJB development guide's 6.4. Remote Access to EJBs talks about how to add security realms for securing EJBs.
I'm missing some information about how to properly create the file myfile.properties (referenced in 6.4.2. Add a New Security Realm) used for storing user passwords. The file will not be created automatically.
- There should be an additional step to create a standalone/configuration/myfile.properties or (in domain) domain/configuration/myfile.properties file
- The file needs to be readable and writable only for the owner of the file (chmod 600 myfile.properties)
- This note:
The newly created properties file is not managed by the included add-user.sh and add-user.bat scripts. It must be managed externally.
is not really correct - it will be managed by the script, the script will just not create it by itself. You have to create it yourself, but then you can use the add-user script to manage it.
- When using the add-user.sh script to add a user to a non-default file (other than application-users.properties) you have to pass it the argument --user-properties myfile.properties otherwise it will try to use application-users.properties
There also should be some information about how to assign a security realm to a particular EJB.
- You can't directly assign a realm to an EJB, you can assign a security domain to an EJB, and you can configure that security domain to retrieve user/password data from a security realm. Assigning a security domain is done by the @SecurityDomain annotation which can be applied on an EJB.
- I would tell the users to have a look at the other security domain, which exists by default, and which retrieves user/password data from the underlying security realm. This security domain is also the default if there is no @SecurityDomain annotation on the EJB but the EJB is considered secured (that means, if it contains any of the other security-related annotations).
- Which security realm is used, that is a property of the underlying http-remoting connector which is used by the client to establish a connection. This connector is defined in the Remoting subsystem. Changing the security realm of the default connector can be done like this:
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=MyDomainRealm)