[
https://issues.apache.org/jira/browse/GERONIMO-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Donald Woods updated GERONIMO-1053:
-----------------------------------
Fix Version/s: (was: 1.1.2)
> Session Bean, Finder, & Method Permissions
> ------------------------------------------
>
> Key: GERONIMO-1053
> URL: https://issues.apache.org/jira/browse/GERONIMO-1053
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB, security
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
>
> I have an EAR with a Web App, Session Bean, and CMP Entity Bean, using the M5
> release.
> The user brings up a secure page on the web app and logs in.
> The web code invoked after the login calls the session bean.
> The session bean calls a finder on the entity bean, and gets this (in the
> session bean method code, where it calls the finder):
> {noformat}
> Caused by: javax.ejb.TransactionRolledbackLocalException
> at
> org.openejb.transaction.ContainerPolicy$TxRequired.invoke(ContainerPolicy.java:123)
> at
> org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
> at
> org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
> at
> org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:545)
> at
> org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
> at
> org.openejb.proxy.EJBMethodInterceptor.intercept(EJBMethodInterceptor.java:129)
> at
> org.openejb.proxy.EntityEJBLocalHome$$EnhancerByCGLIB$$afb1a239.findAll(<generated>)
> at
> org.loadmagus.ejb.TestManagerBean.getAllApplications(TestManagerBean.java:70)
> ... 48 more
> Caused by: javax.ejb.AccessLocalException: access denied
> (javax.security.jacc.EJBMethodPermission EntityBean findAll,LocalHome,)
> at
> org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:107)
> at
> org.apache.geronimo.naming.java.ComponentContextInterceptor.invoke(ComponentContextInterceptor.java:56)
> at
> org.openejb.ConnectionTrackingInterceptor.invoke(ConnectionTrackingInterceptor.java:81)
> at
> org.openejb.entity.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:136)
> at
> org.openejb.entity.cmp.InTxCacheInterceptor.invoke(InTxCacheInterceptor.java:84)
> at
> org.openejb.transaction.ContainerPolicy$TxRequired.invoke(ContainerPolicy.java:119)
> ... 55 more
> {noformat}
> The ejb-jar.xml for the EJBs in question has:
> {noformat}
> <security-role>
> <role-name>Developer</role-name>
> </security-role>
> <method-permission>
> <role-name>Developer</role-name>
> <method>
> <ejb-name>SessionBean</ejb-name>
> <method-name>*</method-name>
> </method>
> </method-permission>
> <method-permission>
> <role-name>Developer</role-name>
> <method>
> <ejb-name>EntityBean</ejb-name>
> <method-name>*</method-name>
> </method>
> </method-permission>
> {noformat}
> So it's a little odd that the session bean sees a transaction rolled back
> exception rather than the real security exception, but whatever.
> The real problem is that both the session bean and the entity bean are
> covered by identical all-inclusive method permission blocks, so if the user
> got into the session bean, there should be no reason they can't get into the
> entity bean. The syntax above is specifically supported in the
> ejb-jar-2_1.xsd Schema (#1; "This style is used to refer to all the methods
> of the specified enterprise bean's home, component, and/or web service
> endpoint interfaces.")
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
