Hi folks.
I'm struggling with Orion's security model in an attempt to get my first
entity bean working. It seems that no matter what configuration setting
I tweak, I cannot successfully call a method on my bean's home
interface. I always receive the exception:
com.evermind.server.rmi.OrionRemoteException: guest is not allowed to
call this EJB method, check your security settings (method-permission in
ejb-jar.xml and security-role-mapping in orion-application.xml).
The funny thing is that this is just about as vanilla a case as you can
imagine. I'm calling the bean from a servlet, and I desire no
authentication whatsoever. I want merely to anonymously call a method
on the home interface. Here are a couple questions to which the answers
might provide me much enlightenment:
* Who is this "guest" person? In the default master principals.xml,
there is a user called "anonymous" whose description implies that this
will be the user automatically assigned to any unauthenticated user.
Should that be "guest" so that I can assign a group (and thus a
security-role-mapping) to the unauthenticated user? Is the name
special, or is there some other flag that I can't see? I've tried
adding a user with the name "guest", etc. Nothing I have tried works.
* What is the relationship between the master principals.xml in the
config directory and the principals.xml in the application deployment
directory? I know the deployment orion-application.xml file points to
the deployment principals.xml, but does this override or supplement the
master config? Does it make sense to change the <principals> in the
orion-application.xml to point to the master config, or is that
redundant?
* What does the <namespace-access> block do in the orion-application.xml
file?
* Do I have the basic concept right? 1) a user derives their name from
authentication, or if there is no authentication, they are assigned some
name (presumably "guest") by default. 2) the "user" belongs to one or
more groups, defined by one (or both?) of the principals.xml files. 3)
the groups are mapped to security roles in the deployment
orion-application.xml file using <security-role-mapping> tags. 4) the
security roles are mapped to actual bean method permissions in the
bean's deployment descriptor.
Somewhere this chain is broken for me, and I'm at a loss to figure out
where. If it matters, the bean is an EJB 2.0 entity bean. The
deployment descriptor defines a security role "users" which has
wildcard(*) permission to the bean. The ear file's application.xml also
defines this role. The default deployment orion-application.xml has the
<security-role-mapping> of role "users" to group "users". The master
principals.xml has both "anonymous" and "guest" as users which belong to
the "users" group.
Both the atm and news demos work fine. I presume it is because they
explicitly authenticate somewhere in code, but I haven't been able to
figure out how or why.
Help? :-)
Thanks,
Jeff Schnitzer
[EMAIL PROTECTED]
