RE: Security issues. (Ugh).

Sat, 14 Apr 2001 19:32:30 -0700 

Chris,

See bug 193 in bugzilla. If you change the way you define the multiple
roles, it will work. There are apparently two ways sanctioned by j2ee spec,
but only one way works in orion. I was looking at this bug yesterday in
preparation for doing exactly what you are trying to do.

Regards,

the elephantwalker

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chris
Bergstresser
Sent: Saturday, April 14, 2001 6:32 PM
To: Orion-Interest
Subject: Security issues. (Ugh).


   All right.  Following up my previous post, I've managed to get everything
working by (1) creating a copy of orion-ejb-app.jar, which I (2) tweak to my
specifications (such as specifying the table name, although I still think
Orion ought to be smart enough to swap out keywords in the database schema
for table names as well as fields) and (3) copy over the auto-generated one
before restarting the server.  This fits in well with the deploy script I
wrote, which blows away any tables created in the database, thus ensuring a
fresh deployment every time.
   Newest configuration headache.  Security.  I've got some administration
methods on my classes which I'd like to only be able to be called from
administrative sessions.  I defined the following in my ejb-jar.xml:

                <security-role>
                        <role-name>everyone</role-name>
                </security-role>
                <method-permission>
                        <role-name>everyone</role-name>
                        <method>
                                <ejb-name>User</ejb-name>
                                <method-name>findByPrimaryKey</method-name>
                        </method>
                </method-permission>

which, as the only security declaration, I believe should allow anyone
mapped to the "everyone" to execute the findByPrimaryKey method, but not the
create method.  I then added the following to the orion-ejb-jar.xml file:

                        <security-role-mapping name="everyone">
                                <group name="users" />
                        </security-role-mapping>

which ought to map anyone in the users group to the everyone role.  However,
running a test program reveals that anyone logged in using my test account
(defined in principles.xml as a member of "guests" and "users") can execute
any method on the User interface without a security exception.
   Any thoughts?

-- Chris

Reply via email to