Hi Ivan,
On Jun 9, 2009, at 6:55 PM, Ivan wrote:
Thanks, David, I have changed some codes about EJB security, for it
made some cases failed. Currently, I use whether securiy segment
exists in the deployment plan to decide that , JACC Manager is or
not need to be created.
I think that's what we used to do and it is very wrong. It makes it
too easy to deploy an app without security you expect because you
don't understand how to write a geronimo plan. What we want is that
if there are security annotations in the ejbs or if security is
configured in the ejb-jar.xml spec deployment descriptor, then we
require security configuration in the geronimo plan and set up the
JACC stuff.
I thought I found all the tck tests that had security in the spec dd
or annotations and fixed the plans, but it's entirely possible I
missed some. We should add security config to the geronimo plans
rather than allowing decployment.
thanks
david jencks
Ivan
2009/6/10 David Blevins <david.blev...@visi.com>
On Jun 2, 2009, at 11:08 PM, Ivan wrote:
1. If there is no method-permission for an EJB in the ejb-jar.xml,
shall we still need a JACC Manager, which in it, we grant the all
access permissions ?
2. When we will say that the EJBDeploymentGBean of an EJB is not
security-enabled. In the current codes, the value seems always set
to true.
It seems both questions boil down to "if the user isn't using
security, can we have security-enabled set to false?" IIRC, that's
what we did. Though this part might have been changed along with
David J's changes to make it so that an app with EJB method-
permissions (or equivalent annotations) would fail on deployment if
no security was setup.
-David
--
Ivan
