Although a lot of you do not seem to be using security yet as no one has
answered my posts,
Well i have not solved it, it is a Bug.
The bug is that a two or more security roles cannot have access to the same
methods.
for example say i have a method on Mybean called.
methodA()
and i have 2 defined security roles:
<security-role>
<description>role 1</description>
<role-name>role1</role-name>
</security-role>
<security-role>
<description>role 2</description>
<role-name>role2</role-name>
</security-role>
then this method permission configuration is not possible in orion.
<method-permission>
<description>peter</description>
<role-name>role1</role-name>
<method>
<ejb-name>ejb/MYBean</ejb-name>
<method-name>methodA</method-name>
</method>
</method-permission>
<method-permission>
<description>peter</description>
<role-name>role2</role-name>
<method>
<ejb-name>ejb/MYBean</ejb-name>
<method-name>methodA</method-name>
</method>
</method-permission>
This says that both "role1" and "role2" have access to call methodA. However
if i have a user who is in "role2" (eg by putting them in an orion group
that is mapped to role1) if i try to access methodA then then Orion will
only check if user1 is in "role1" (eg by checking if the user is in an orion
group mapped to role1). If they are not (as in this case), Orion does not
check if they are in role2 (eg by checking if the user is in an orion group
mapped to role2).
It seem to me orion checks the first role that can access a method an uses
that role. So you get a one to one relationship between methods and roles.
so the relationship above is:
methodA can be accessed by "role1"
So a solution to this.
One role per method. This means we have this.
<security-role>
<description>role 1</description>
<role-name>role1</role-name>
</security-role>
<security-role>
<description>role 2</description>
<role-name>role2</role-name>
</security-role>
<method-permission>
<description>peter</description>
<role-name>role1</role-name>
<method>
<ejb-name>ejb/MYBean</ejb-name>
<method-name>methodA</method-name>
</method>
</method-permission>
<method-permission>
<description>peter</description>
<role-name>role2</role-name>
<method>
<ejb-name>ejb/MYBean</ejb-name>
<method-name>methodB</method-name>
</method>
</method-permission>
methodA accessed by role1
methodB accessed by role2
So if i want a user to access methodA and methodB then they have to be in
role1 and role2, no this works fine because Orion has a one to one
relationship.
HOWEVER:
As we know this is a bug and the relationship between methods and roles
should be one to many. A method can be accessed by many roles. So in one of
my requirements i have a method
methodA()
That needs to be access by 2 roles "super" and "editor". Now role "super"
can always access the method and execute the contents. However role "editor"
can always access the method but depending on an internal value then role
"editor" may or may not be able to excute the contents of the method. So i
need a one to many mapping between my methodA and my two roles. This is not
possible at the moment.
Comments...
