cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot instantiate EJB after configuring EJB security roles PLEASE HELP!!!

Former Member

on ‎12-06-2004 4:53 PM

0 Kudos

I just managed to properly configure my stateless session bean with respect to the security roles in the ejb-jar.xml and the ejb-j2ee-engine.xml file (see below). I also configured the security roles in the security provider service tab within the Visual Administrator (added a security role rmsadmin of type security role) and then added some user to this role.

The deployment went fine but when I started the application with the modified security settings I received an error message saying "Cannot create EJB instance. Nested message: null.". This message was not produced because of some of my business logic methods - the application ran fine before.

Here you find my ejb-jar.xml and ejb-j2ee-engine.xml files:

EJB:

===

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">

<ejb-jar>

<description>EJBTest descr.</description>

<display-name>EJBTest</display-name>

<enterprise-beans>

<session>

<ejb-name>WDTestBean</ejb-name>

<home>de.hpi.WDTestHome</home>

<remote>de.hpi.WDTest</remote>

<local-home>de.hpi.WDTestLocalHome</local-home>

<local>de.hpi.WDTestLocal</local>

<ejb-class>de.hpi.WDTestBean</ejb-class>

<session-type>Stateless</session-type>

<transaction-type>Container</transaction-type>

<security-role-ref>

<role-name>administrator</role-name>

<role-link>wdtest</role-link>

</security-role-ref>

</session>

</enterprise-beans>

<assembly-descriptor>

<security-role>

<role-name>wdtest</role-name>

</security-role>

<method-permission>

<description>method-permission</description>

<role-name>wdtest</role-name>

<method>

<ejb-name>WDTestBean</ejb-name>

<method-name>*</method-name>

</method>

</method-permission>

</assembly-descriptor>

</ejb-jar>

===

J2EE:

===

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ejb-j2ee-engine SYSTEM "ejb-j2ee-engine.dtd">

<ejb-j2ee-engine>

<enterprise-beans>

<enterprise-bean>

<ejb-name>WDTestBean</ejb-name>

<session-props/>

</enterprise-bean>

</enterprise-beans>

<security-permission>

<security-role-map>

<role-name>wdtest</role-name>

<server-role-name>rmsadmin</server-role-name>

</security-role-map>

</security-permission>

</ejb-j2ee-engine>

===

I really need your help on this topic - I have absolutely no clue why it doesn't work...

Thanks in advance!!

Regards,

H. Schubert

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎12-08-2004 9:22 AM
0 Kudos

Hello Harald,

Did you check server logs for more details on the problem?

Kind Regards

Vyara

Show replies
Show replies
Former Member
‎12-10-2004 9:52 AM
0 Kudos

Yes I did. Finally I solved the problem: I didn't recreate a WS proxy in my web dynpro project by the time I updated the WS' configuration to support authentication - this among other things was very hard to see. Here, SAP could surely supply its developer community with more valuable information, that is, error messages...

Well, apart from that I have a new problem - I could not authenticate even though I had done so in the web dynpro application using the UME. As I further found out, the web service was fully functional - I tested it with the web front-end. So I asked myself how I could be that the information is not forwarded from web dynpro to the web service automatically.

Is there any means to achieve this?

Anyway, I found out that I can set the information manually via the request object generated from the WS proxy within web dynpro, i.e. using _setUsername() and _setPassword(). I surely can access the username using UME but I cannot access the password. Of course, from a security standpoint I see why. Somebody told me I should use the "secure key store" for this purpose.

Is that the way it is supposed to work or did I miss something?

A link to relevant documentation is highly appreciated!

Regards,

Harald

Former Member
‎12-11-2004 9:53 AM
0 Kudos

Hi Harald,

have you seen this page from the Web Services documentation: http://help.sap.com/saphelp_nw04/helpdata/en/ab/c955e2e2d24a888127f211f2d5043f/frameset.htm. It describes how to use security protocol from ws clients.

Hope that helps!

Former Member
‎12-11-2004 2:05 PM
0 Kudos

Thank you very much - it seems that this might be indeed the solution. I will check it on monday and tell you if it worked out!

Former Member
‎12-13-2004 11:51 AM
0 Kudos

Hi Ivaylo,

I as far as I can tell the link you provided does not lead to a solution. I still cannot obtain the password by any means...

Here is my code so far, written as part of a WDP view:

public static void wdDoModifyView(IPrivateWDTestView wdThis, IPrivateWDTestView.IContextNode wdContext, com.sap.tc.webdynpro.progmodel.api.IWDView view, boolean firstTime)

{

[...]

Request_WDTestServiceViDocument_foo req = new Request_WDTestServiceViDocument_foo();

wsContext.nodeRequest_WDTestServiceViDocument_foo().bind(req);

IWDClientUser usr = WDClientUser.getCurrentUser();

req.setMsg(usr.getSAPUser().getUniqueName());

req._setUser(usr.getSAPUser().getUniqueName());

//HACK - need a way to work around this...

req._setPassword("bar");

req.execute();

[...]

}

martijndeboer
Advisor
Advisor
‎12-14-2004 11:59 AM
0 Kudos

Hi Harald,

As I understand your scenario, you're developing a WD application. The WD application is using a web service model and after you added security checks on the EJB, you encounter errors due to the authorization checks of the EJB.

The web service (ws) model is making HTTP requests, and by default no credentials for authentication are provided by the request. For authentication you have the following options:

1) use username/password hard coded in your code

2) With Stack 10: set the name of a HTTP destination from the J2EE destination service. In the Visual Administrator, you can configure connection settings (URL, credentials etc.), which can then be used by applications for connecting to backend systems (like SM59 in ABAP).

My recommendation would be to update engine and IDE to stack 10 when it becomes available.

Then you need to

1) Create an J2EE destination type http in the destination service in the J2EE engine. Set "SAP Logon Ticket" as authentication method.

2) Change your coding to use the destination (example):

<i>Request_QuickCarRentalServiceViDocument_viewActiveBookings modObj

= wdContext.currentActiveBookingsElement().modelObject();

<b>modObj._setHTTPDestinationName("CarRental");</b>

modObj.execute();</i>

As a result, the ws model uses the SAP logon ticket for authentication. When SAP logon tickets are configured correctly (->by default when WD and WS running on the same engine), your scenario should work.

Best Regards,

Martijn de Boer

Former Member
‎12-14-2004 2:41 PM
0 Kudos

Hi Martijn,

first, thanks for your reply.

The way you interpreted my scenario was absolutely correct.

Nevertheless I cannot quite believe that there is no way to dynamically obtain the username and password. To me, this seems a bit archaic.

So if I get you right, I am supposed to create one internal user for each security role I use in my ejb application and successively log on with those depending on the actual user which calls the ws from the wdp layer. But again, this is somewhat confusing since I might use the getPrincipal method provided by the EJBContext object of the bean and would hence receive the internal user name and not the actual user name.

Unfortunately I am not allowed to update the ID or engine by any means - I'll have to stick to the solution without SAP Logon Tickets.

Any further suggestions?

Ask a Question