Hi all,
I have some difficulties setting declarative authorization for ejb methods. (I'm using
orion 1.4.1 on a win2K platform (and ejb1.1))
This is what I've done:
- I have a entity bean named Banks in a application-client named Banks
- I have a session bean named SecurityGod in a application-client named SecurityGod
- I have this bussines logic:
SecurityGodHome sgHome = getSecurityGodHome();
BanksData bd = null; // BanksData is a simple class
try
{
bd = sg.getBankByName(name);
}
catch(BankNotFoundException bnfe)
{
}
- getBankByName() is:
public BanksData getBankByName(String name) throws Exception
{
BanksHome home = this.getBanksHome();
Banks bank;
BanksData bd = null;
Collection banks;
banks = home.findByName(name);
if (!banks.isEmpty())
{
Iterator it;
it = banks.iterator();
bank = (Banks) it.next();
bd = bank.getBanksData();
}
else
{
throw new BankNotFoundException("Bank " + name + " does not
exists!");
}
return bd;
}
- now the descritors:
ejb-jar.xml from Banks:
<assembly-descriptor>
<security-role>
<role-name>sr_administrators</role-name>
</security-role>
<security-role>
<role-name>sr_banks</role-name>
</security-role>
<method-permission>
<role-name>sr_administrators</role-name>
<method>
<ejb-name>Banks</ejb-name>
<method-intf>Remote</method-intf>
<method-name>*</method-name>
</method>
</method-permission>
<method-permission>
<role-name>sr_administrators</role-name>
<method>
<ejb-name>Banks</ejb-name>
<method-intf>Remote</method-intf>
<method-name>getBanksData</method-name>
</method>
</method-permission>
</assembly-descriptor>
ejb-jar.xml from SecurityGod:
<assembly-descriptor>
<security-role>
<role-name>sr_administrators</role-name>
</security-role>
<security-role>
<role-name>sr_users</role-name>
</security-role>
<method-permission>
<role-name>sr_administrators</role-name>
<method>
<ejb-name>SecurityGod</ejb-name>
<method-intf>Remote</method-intf>
<method-name>create</method-name>
</method>
</method-permission>
</assembly-descriptor>
I log in as a admin (wich is part of security-role sr_administrators) and I cannot
access Banks method getBanksData. The output is something like this:
com.evermind.server.rmi.OrionRemoteException: admin is not allowed to call this EJB
method, check your security settings (method-permission in ejb-jar.xml and
security-role-mapping in orion-application.xml).
at Banks_EntityBeanWrapper0.getBanksData(Banks_EntityBeanWrapper0.java:1234)
at
com.coltronix.fortepay.security.SecurityGodBean.getBankByName(SecurityGodBean.java:696)
at
SecurityGod_StatelessSessionBeanWrapper11.getBankByName(SecurityGod_StatelessSessionBeanWrapper11.java:1138)
at /profile/BanksProfile.jsp._jspService(/profile/BanksProfile.jsp.java:120)
(JSP page line 138)
at com.orionserver.http.OrionHttpJspPage.service(JAX)
at com.evermind.server.http.HttpApplication.xa(JAX)
at com.evermind.server.http.JSPServlet.service(JAX)
at com.evermind.server.http.d3.so(JAX)
at com.evermind.server.http.d3.sm(JAX)
at com.evermind.server.http.ef.su(JAX)
at com.evermind.server.http.ef.dn(JAX)
at com.evermind.util.f.run(JAX)
As you can see, admin can access any method of session bean SecurityGod ( sg.create()
and sg.getBankByName).
Also, admin can acces Banks remote method .create() but admin cannot access Banks
method getBanksData
Why is this happening? Why admin cannot acces a Home interface method?
Something is strage: how can admin acces SecutityGod's home method getBankByName() if
in the descriptor only create() remote method is declared?
Another thing: initially, my descriptors looked something like this:
<assembly-descriptor>
<security-role>
<role-name>sr_administrators</role-name>
</security-role>
<security-role>
<role-name>sr_banks</role-name>
</security-role>
<method-permission>
<role-name>sr_administrators</role-name>
<method>
<ejb-name>Banks</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
and :
<assembly-descriptor>
<security-role>
<role-name>sr_administrators</role-name>
</security-role>
<security-role>
<role-name>sr_users</role-name>
</security-role>
<method-permission>
<role-name>sr_administrators</role-name>
<method>
<ejb-name>SecurityGod</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
I had granted acces to user admin to all methods in Banks and SecurityGod. Even so, I
could not acces the create() method of the SecurityBean
If anyone could help me, plese do!
Thanks!
PS: sorry for my bad english..
