Hi Karl,
I find the ATM code is very confusing. It uses the security role name
"users", and the config/principals.xml file defines a group named "users",
and apparently these two concepts are magically united. Where is the group
assigned to the role? How does the atm's own principals.xml fit in to the
scheme?
To try to answer these questions I assembled the smallest and simplest
application I could think of (attached). I am fairly convinced that it
demonstrates a bug in the security mechanism in orion. (And I have reported
this, but not the extra information that I have just discovered - see below).
The application contains one very simple stateless session EJB which
delivers a "hello world" message. All of the methods are defined to be
accessible to the "TestRole".
The orion-application.xml assigns the "TestGroup" to the "TestRole".
The principals.xml defines the "TestGroup" and a user named "nick" with
password "newman" who is in the "TestGroup" (and hence in the "TestRole").
The application also contains two jsp pages, which are also made accessible
to the "TestRole".
The first page prints request.getRemoteUser() (which displays "nick") and
request.isUserInRole("TestRole") (which displays "true"). This works as
expected, and tends to suggest the mappings work.
The second page tries to print the message from the session bean, but the
access is denied ("nick is not allowed to call the ejb/Hello.create(...)
method....")
After MUCH frustration and experimentation I have just found that if the
ejb-jar.xml file is changed to set the <role-name> to TestGroup (not
TestRole!) then access is granted. (You may have to delete the
orion-ejb-jar.xml to get rid of existing references to TestRole before
deploying).
Surely access should be granted in terms of roles, not groups?
Thanks,
Nick Newman, SCIENTECH Inc
At 05:11 PM 8/18/00 +0200, you wrote:
>Hello Dave and others,
>
>we'll post some better explanation on this soon, but until then, have
>you gotten the ATM to work with the user management? It is a good
>example of using roles and users in Orion
>
>Regards,
>Karl Avedal
>
>Dave Smith wrote:
>
>> This has been a long running problem that I never received an answer
>> to, despite much discussion on this list.
>>
SecurityBug.ear
