Re: User/Role problem (solved)
There was an other method permission set on findByPrimaryKey(). Orion obviously calls this method for a remote object when you call a remote-method on that object (presumably for uptodate-checks). Thus a remote-method may only be invoked by a user that belongs to roles for both the remote-method in question and for any subsequently needed Home/Remote methods. Pretty obvious when you look at it that way, isn't it? Only methods implicitly called by OrionServer are not always that obvious. ;-) Yours Armin Michel On Tuesday 08 May 2001 15:52, you wrote: Following situation: - I restricted method permission of method foo to role bar - if I do: roleManager.addToRole(ctx.getCallerPrincipal(),bar); foo(); everything works just fine. - if I create a (temporary) user (e.g. user123), add him to role bar then log him in with the RoleManager and finally do a foo(), I get as security-exception. (see below). Why? Are there some default-roles that I have to add a newly created user to? Are there any further group-permissions I've got to set for group bar? (I took the permissions of group users). For completeness: - I have also created a group named bar (in principal.xml) and specified a security-role-mapping (in orion-ejb.xml). - Furthermore I added a security-role definition for bar in both the application.xml and the ejb-jar.xml - I have also tried the lt;default-ejb-caller-rolegt; role and then changed the default-method-access to role bar. - I also tripple checked that ctx.isCallerInRole(bar) returns true; just the line before I call foo(). The exception: [java] javax.transaction.TransactionRolledbackException: com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to call this EJB method, check your security settings (method-permission in ejb-jar.xml and security-role-mapping in orion-application.xml). [java] at com.evermind.server.rmi.bb.invokeMethod(JAX) [java] at com.evermind.server.rmi.a2.invoke(JAX) [java] at com.evermind.server.rmi.a3.invoke(JAX) Ideas, or even solutions? Armin Michel
RE: User/Role problem
Are you using the default user manager (the using the principal files)? In that case it is easy to check what's happening by adding roleManager.store() in your code. That'll store all your changes in the principal files. After that it's piece of cake to check the relations. 'user123' should be member of one of the groups that are mapped you your 'bar' role (i.e bar group). I can remember I struggled some time ago with the RoleManager and the UserManager as well. After a while I realized that the offer RoleManagement plus some convenience methods (like createPrincipal) which sometimes gets confusing. The UserManager should manage users and groups, the RoleManager manages roles and stores changes to persistence (why can't you do that using the UserManager ?). [Early postings to this list clarify also some of these issues] FE On Tuesday, May 08, 2001 3:53 PM, Armin Michel [SMTP:[EMAIL PROTECTED]] wrote: Following situation: - I restricted method permission of method foo to role bar - if I do: roleManager.addToRole(ctx.getCallerPrincipal(),bar); foo(); everything works just fine. - if I create a (temporary) user (e.g. user123), add him to role bar then log him in with the RoleManager and finally do a foo(), I get as security-exception. (see below). Why? Are there some default-roles that I have to add a newly created user to? Are there any further group-permissions I've got to set for group bar? (I took the permissions of group users). For completeness: - I have also created a group named bar (in principal.xml) and specified a security-role-mapping (in orion-ejb.xml). - Furthermore I added a security-role definition for bar in both the application.xml and the ejb-jar.xml - I have also tried the lt;default-ejb-caller-rolegt; role and then changed the default-method-access to role bar. - I also tripple checked that ctx.isCallerInRole(bar) returns true; just the line before I call foo(). The exception: [java] javax.transaction.TransactionRolledbackException: com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to call this EJB method, check your security settings (method-permission in ejb-jar.xml and security-role-mapping in orion-application.xml). [java] at com.evermind.server.rmi.bb.invokeMethod(JAX) [java] at com.evermind.server.rmi.a2.invoke(JAX) [java] at com.evermind.server.rmi.a3.invoke(JAX) Ideas, or even solutions? Armin Michel
Re: User/Role problem
On Tuesday 08 May 2001 17:14, you wrote: We have had similar problems, and I have reported them to orion (but they said they couldn't reproduce the problem). Here is what I found. If you have an EJB method foo(), and you restrict its access to a role MYROLE, then a user who, according to the XML files, should have access to foo() is denied access. If, however (and quite contrary to specs) you specify a GROUP name (e.g. MYGROUP) instead of a ROLE name (e.g. MYROLE), then access is granted (assuming your user is in that group). I would be very interested to know if you can confirm this. Probably yes. IMHO, Orion forces me to specify a group for every role that I define. I can only do a addToRole(bar) when I have a group defined that bar is mapped upon. Your problem may be closely related to mine, but I think my problem is still another one. Nick At 03:52 PM 5/8/01 +0200, you wrote: Following situation: - I restricted method permission of method foo to role bar - if I do: roleManager.addToRole(ctx.getCallerPrincipal(),bar); foo(); everything works just fine. - if I create a (temporary) user (e.g. user123), add him to role bar then log him in with the RoleManager and finally do a foo(), I get as security-exception. (see below). Why? Are there some default-roles that I have to add a newly created user to? Are there any further group-permissions I've got to set for group bar? (I took the permissions of group users). For completeness: - I have also created a group named bar (in principal.xml) and specified a security-role-mapping (in orion-ejb.xml). - Furthermore I added a security-role definition for bar in both the application.xml and the ejb-jar.xml - I have also tried the lt;default-ejb-caller-rolegt; role and then changed the default-method-access to role bar. - I also tripple checked that ctx.isCallerInRole(bar) returns true; just the line before I call foo(). The exception: [java] javax.transaction.TransactionRolledbackException: com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to call this EJB method, check your security settings (method-permission in ejb-jar.xml and security-role-mapping in orion-application.xml). [java] at com.evermind.server.rmi.bb.invokeMethod(JAX) [java] at com.evermind.server.rmi.a2.invoke(JAX) [java] at com.evermind.server.rmi.a3.invoke(JAX) Ideas, or even solutions? Armin Michel
Re: User/Role problem
We have had similar problems, and I have reported them to orion (but they said they couldn't reproduce the problem). Here is what I found. If you have an EJB method foo(), and you restrict its access to a role MYROLE, then a user who, according to the XML files, should have access to foo() is denied access. If, however (and quite contrary to specs) you specify a GROUP name (e.g. MYGROUP) instead of a ROLE name (e.g. MYROLE), then access is granted (assuming your user is in that group). I would be very interested to know if you can confirm this. Nick At 03:52 PM 5/8/01 +0200, you wrote: Following situation: - I restricted method permission of method foo to role bar - if I do: roleManager.addToRole(ctx.getCallerPrincipal(),bar); foo(); everything works just fine. - if I create a (temporary) user (e.g. user123), add him to role bar then log him in with the RoleManager and finally do a foo(), I get as security-exception. (see below). Why? Are there some default-roles that I have to add a newly created user to? Are there any further group-permissions I've got to set for group bar? (I took the permissions of group users). For completeness: - I have also created a group named bar (in principal.xml) and specified a security-role-mapping (in orion-ejb.xml). - Furthermore I added a security-role definition for bar in both the application.xml and the ejb-jar.xml - I have also tried the lt;default-ejb-caller-rolegt; role and then changed the default-method-access to role bar. - I also tripple checked that ctx.isCallerInRole(bar) returns true; just the line before I call foo(). The exception: [java] javax.transaction.TransactionRolledbackException: com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to call this EJB method, check your security settings (method-permission in ejb-jar.xml and security-role-mapping in orion-application.xml). [java] at com.evermind.server.rmi.bb.invokeMethod(JAX) [java] at com.evermind.server.rmi.a2.invoke(JAX) [java] at com.evermind.server.rmi.a3.invoke(JAX) Ideas, or even solutions? Armin Michel