Hi Arved,
Can I suggest you try the following. In the ejb-jar.xml file that
specifies the ejb security, specify the GROUP name instead of the ROLE
name. (Even though that's the wrong thing to do.) Then delete the
orion-ejb-jar.xml file (to get rid of the old references to the role name
that are in there). Then redeploy and try again.
If that works, maybe you could throw your weight behind Bugzilla report #55
so we can get it fixed!
Nick
At 10:26 AM 9/19/00 -0300, you wrote:
>I'm looking forward to docs and examples myself.
>
>One thing that I've noticed, after copious experimentation with the
>DataSourceUserManager, is that the group <=> mapping is somewhat deficient.
>In other words, I have my users and groups tables set up, and I've made
>suitable mods and adjustments to principals.xml, orion-application.xml,
>ejb-jar.xml, and orion-ejb-jar.xml as required (or suggested). In some cases
>I'm flailing about, frankly.
>
>In any case, a login with username and password is obviously finding the
>group, and mapping the group to role, because when I check the role after
>login it's OK. I don't have to hardcode it, which is vital.
>
>However, and I've tried everything, I don't believe this knowledge is being
>passed on to the EJB container. No role, however declared in the various
>J2EE/Orion descriptors, is able to access *any* method in an EJB that has
>method-permissions.
>
>So my assessment on the user/role managers is that it is reasonably useful:
>one can assign roles based on login, and test for that as required. But
>method-level security in EJBs does not work, at least not in a documented,
>demonstrated and reliable manner.
>
>The odd thing is, is that this may not be that much of a big deal. I've been
>writing J2EE for pretty much a full year, and I have yet to see a situation
>where method-level permissions gain me anything at all. It's literally never
>been necessary. It seems to be one of these J2EE things that made ostensible
>sense at the time but has little practical value. Just a thought.
>
>The only reason it disturbs me is because it should work and doesn't. :-) If
>an example can be supplied - complete with Orion-specific deployment
>descriptors - I'll be overjoyed.
>
>Arved Sandstrom
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Lawrence Fry
>Sent: Monday, September 18, 2000 6:36 PM
>To: Orion-Interest
>Subject: RE: User/Group manager guide
>
>
>Guilherme,
>
>Here Here! I'm glad somebody said it.
>
>But without documentation, you should look at the archives to this list,
>because many of these problems have already been worked out.
>
>For example...it isn't said anywhere in the documentation, but the
>EJBUserManager is the most useful device for ecommerce. With this, you can
>automatically login users and create users for your website...without one
>call to the EJBUserManager stuff. In order to use this, you will have to add
>the following to your orion-application.xml file:
>
> <user-manager class="com.evermind.ejb.EJBUserManager">
> <property name="home" value="com.evermind.ejb.EJBUser" />
> <property name="defaultGroups" value="users" />
> </user-manager>
>
>I found this tidbit in the mail archive. Then you can use the role manager
>to allow users access to ejb resources, and the role manager automatically
>uses the your databank with cmp to create users....create a user like this:
>
>try
>{
>RoleManager roleManager = (RoleManager)new
>InitialContext().looku("java:comp/RoleManager");
>if(roleManager.getPrincipal(username) != null)
> throw new DuplicateAccountException(username)
>Principal principal = roleManager.createPrincipal(username, password);
>roleManager.addToRole(principal, role);
>roleManager.store();
>}
>catch(NamingException e){}
>catch(UserAlreadyExistsException e){}
>catch(InstantiationException e){}
>catch(IOException e){}
>
>and like magic, a user database is created. Of course, you also have to make
>sure your roles are part of your groups.
>
>This is the great secret of orion...great stuff, no documentation! It took
>me weeks to figure this out. I wish there was a tutorial on these simple
>issues:
>
>How do you login in a client through a database of usernames/passwords?
>How do you enroll a client into a database of usernames/passwords?
>How do you control access to web resources (ejb's, jsp's, servlets)?
>
>The existing documentation on this is about as clear as mud.
>
>Regards,
>
>Lawrence
>
>
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Guilherme
>Ceschiatti
>Sent: Monday, September 18, 2000 1:58 PM
>To: Orion-Interest
>Subject: User/Group manager guide
>
>
>Hi!
>
>I'm almost leaving Orion because the lack of documentation, mainly about how
>to
>manage User/Groups. As many people have lots of doubts related to it too,
>I'm
>asking the Orion team or anybody else to write a tutorial about it. I
>really
>don't want to leave Orion, because I've made good things on it, but I'm
>spending a lot of time trying to "decifrate" how to use the Orion API.
>
>Thanks.
>Guilherme Ceschiatti
>[EMAIL PROTECTED]
>
>
>
