blob: d2f66a208cd65ea67dcc7518e27b8b1f72a04f8f [file] [log] [blame]
= Simple Remote Tomcat Users
:index-group: Security
:jbake-type: page
:jbake-status: published
This is an example on how to use JNDI with security restrictions in TomEE.
== Contract
In our example Contract is an interface annotated with @Remote which indicates that all methods of this interface can be accessed by client code.
public interface Contract {
String hi();
== ContractImpl
ContractImpl is a concrete implementation of the Contract interface restricting access to the hi method for users with role test.
public class ContractImpl implements Contract {
public String hi() {
return "hi";
== ContractTest
In this class we test the correctness of our application with Arquillian by creating a war with Contract and ContractImpl classes and deploying to
an embedded TomEE server with the war name test.war. In arquillian.xml we specify that arquillian pick tomcat-users.xml from src/test/conf folder.
In tomcat-users.xml there is a single user with username "tomcat", password="users" and role "test".
To test we lookup for the ContractImpl and call the hi method using different usernames and passwords.
public class ContractTest {
@Deployment(testable = false)
public static Archive<?> app() {
return ShrinkWrap.create(WebArchive.class, "test.war")
.addClasses(Contract.class, ContractImpl.class);
private URL base;
public void valid() throws NamingException {
assertEquals("hi", hi(new Properties() {{
setProperty(Context.INITIAL_CONTEXT_FACTORY, RemoteInitialContextFactory.class.getName());
setProperty(Context.PROVIDER_URL, String.format("http://localhost:%s/tomee/ejb", base.getPort()));
setProperty(Context.SECURITY_PRINCIPAL, "tomcat");
setProperty(Context.SECURITY_CREDENTIALS, "users");
public void invalid() throws NamingException {
try {
hi(new Properties() {{
setProperty(Context.INITIAL_CONTEXT_FACTORY, RemoteInitialContextFactory.class.getName());
setProperty(Context.PROVIDER_URL, String.format("http://localhost:%s/tomee/ejb", base.getPort()));
setProperty(Context.SECURITY_PRINCIPAL, "tomcat");
setProperty(Context.SECURITY_CREDENTIALS, "wrong");
} catch (final AuthenticationException ae) {
// ok
public void missingCredentials() throws NamingException {
try {
hi(new Properties() {{
setProperty(Context.INITIAL_CONTEXT_FACTORY, RemoteInitialContextFactory.class.getName());
setProperty(Context.PROVIDER_URL, String.format("http://localhost:%s/tomee/ejb", base.getPort()));
} catch (final EJBAccessException eae) {
// no-op
private String hi(final Properties clientConfig) throws NamingException {
return Contract.class.cast(new InitialContext(clientConfig).lookup("java:global/test/ContractImpl!org.superbiz.Contract")).hi();
== Run the application:
mvn install
All test cases will pass.