[
https://issues.apache.org/jira/browse/OPENEJB-1919?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andreas Keefer updated OPENEJB-1919:
------------------------------------
Attachment: ejbArrayParaTest.zip
maven project to demonstrate the bug
> no security roles check if ejb Method parameter is an Array
> -----------------------------------------------------------
>
> Key: OPENEJB-1919
> URL: https://issues.apache.org/jira/browse/OPENEJB-1919
> Project: OpenEJB
> Issue Type: Bug
> Components: security
> Affects Versions: 4.0.0, 4.5.0
> Environment: embedded container, maven, win XP, Linux
> (3.2.0-31-generic-pae), OpenJDK Runtime Environment (IcedTea7 2.3.2)
> (7u7-2.3.2a-0ubuntu0.12.04.1), Sun 1.6.0_20-b02
> Reporter: Andreas Keefer
> Priority: Critical
> Labels: RolesAllowed, array, maven, security, test
> Attachments: ejbArrayParaTest.zip
>
>
> If an EJB method contains an array parameter openejb didn't check the allowed
> Roles.
> Example:
> @Stateless
> public class MyEjb {
> @RolesAllowed("admin")
> public void goAdminStringArray(String[] args) {
> }
> }
> public class MyEjbTest {
> @EJB
> private MyEjb myEjb;
> @Before
> public void setUp() throws NamingException {
> EJBContainer.createEJBContainer().getContext().bind("inject", this);
> }
> @Test(expected = EJBAccessException.class)
> public void testWithArray() {
> // hmm ... array parameter == no Security check ???
> myEjb.goAdminStringArray(new String[]{"a", "b"});
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
