Andreas Keefer created OPENEJB-1919:
---------------------------------------
Summary: no security roles check if ejb Method parameter is an
Array
Key: OPENEJB-1919
URL: https://issues.apache.org/jira/browse/OPENEJB-1919
Project: OpenEJB
Issue Type: Bug
Components: security
Affects Versions: 4.5.0, 4.0.0
Environment: embedded container, maven, win XP, Linux
(3.2.0-31-generic-pae), OpenJDK Runtime Environment (IcedTea7 2.3.2)
(7u7-2.3.2a-0ubuntu0.12.04.1), Sun 1.6.0_20-b02
Reporter: Andreas Keefer
Priority: Critical
If an EJB method contains an array parameter openejb didn't check the allowed
Roles.
Example:
@Stateless
public class MyEjb {
@RolesAllowed("admin")
public void goAdminStringArray(String[] args) {
}
}
public class MyEjbTest {
@EJB
private MyEjb myEjb;
@Before
public void setUp() throws NamingException {
EJBContainer.createEJBContainer().getContext().bind("inject", this);
}
@Test(expected = EJBAccessException.class)
public void testWithArray() {
// hmm ... array parameter == no Security check ???
myEjb.goAdminStringArray(new String[]{"a", "b"});
}
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
