All right. Following up my previous post, I've managed to get everything
working by (1) creating a copy of orion-ejb-app.jar, which I (2) tweak to my
specifications (such as specifying the table name, although I still think
Orion ought to be smart enough to swap out keywords in the database schema
for table names as well as fields) and (3) copy over the auto-generated one
before restarting the server. This fits in well with the deploy script I
wrote, which blows away any tables created in the database, thus ensuring a
fresh deployment every time.
Newest configuration headache. Security. I've got some administration
methods on my classes which I'd like to only be able to be called from
administrative sessions. I defined the following in my ejb-jar.xml:
<security-role>
<role-name>everyone</role-name>
</security-role>
<method-permission>
<role-name>everyone</role-name>
<method>
<ejb-name>User</ejb-name>
<method-name>findByPrimaryKey</method-name>
</method>
</method-permission>
which, as the only security declaration, I believe should allow anyone
mapped to the "everyone" to execute the findByPrimaryKey method, but not the
create method. I then added the following to the orion-ejb-jar.xml file:
<security-role-mapping name="everyone">
<group name="users" />
</security-role-mapping>
which ought to map anyone in the users group to the everyone role. However,
running a test program reveals that anyone logged in using my test account
(defined in principles.xml as a member of "guests" and "users") can execute
any method on the User interface without a security exception.
Any thoughts?
-- Chris
