This message was not intended to be sent to the mailing list :-/
Ernst de Haan wrote:
> Hi Jeff,
>
> I intend to write a document about Orions security model. If it's okay with I
> will contact you sometime soon. I will attempt to address the issues you
> presented too.
>
> Ernst
> --
> http://www.jollem.com/orion-primer/
> http://www.jollem.com/orion-cmp-primer/
>
>
> Jeff Schnitzer wrote:
> > Hi folks.
> >
> > I'm struggling with Orion's security model in an attempt to get my first
> > entity bean working. It seems that no matter what configuration setting
> > I tweak, I cannot successfully call a method on my bean's home
> > interface. I always receive the exception:
> >
> > com.evermind.server.rmi.OrionRemoteException: guest is not allowed to
> > call this EJB method, check your security settings (method-permission in
> > ejb-jar.xml and security-role-mapping in orion-application.xml).
> >
> > The funny thing is that this is just about as vanilla a case as you can
> > imagine. I'm calling the bean from a servlet, and I desire no
> > authentication whatsoever. I want merely to anonymously call a method
> > on the home interface. Here are a couple questions to which the answers
> > might provide me much enlightenment:
> >
> > * Who is this "guest" person? In the default master principals.xml,
> > there is a user called "anonymous" whose description implies that this
> > will be the user automatically assigned to any unauthenticated user.
> > Should that be "guest" so that I can assign a group (and thus a
> > security-role-mapping) to the unauthenticated user? Is the name
> > special, or is there some other flag that I can't see? I've tried
> > adding a user with the name "guest", etc. Nothing I have tried works.
> >
> > * What is the relationship between the master principals.xml in the
> > config directory and the principals.xml in the application deployment
> > directory? I know the deployment orion-application.xml file points to
> > the deployment principals.xml, but does this override or supplement the
> > master config? Does it make sense to change the <principals> in the
> > orion-application.xml to point to the master config, or is that
> > redundant?
> >
> > * What does the <namespace-access> block do in the orion-application.xml
> > file?
> >
> > * Do I have the basic concept right? 1) a user derives their name from
> > authentication, or if there is no authentication, they are assigned some
> > name (presumably "guest") by default. 2) the "user" belongs to one or
> > more groups, defined by one (or both?) of the principals.xml files. 3)
> > the groups are mapped to security roles in the deployment
> > orion-application.xml file using <security-role-mapping> tags. 4) the
> > security roles are mapped to actual bean method permissions in the
> > bean's deployment descriptor.
> >
> > Somewhere this chain is broken for me, and I'm at a loss to figure out
> > where. If it matters, the bean is an EJB 2.0 entity bean. The
> > deployment descriptor defines a security role "users" which has
> > wildcard(*) permission to the bean. The ear file's application.xml also
> > defines this role. The default deployment orion-application.xml has the
> > <security-role-mapping> of role "users" to group "users". The master
> > principals.xml has both "anonymous" and "guest" as users which belong to
> > the "users" group.
> >
> > Both the atm and news demos work fine. I presume it is because they
> > explicitly authenticate somewhere in code, but I haven't been able to
> > figure out how or why.
> >
> > Help? :-)
> >
> > Thanks,
> > Jeff Schnitzer
> > [EMAIL PROTECTED]
> >
> >
