Re: Help: Mapping roles to users.
Hi Dave, Have you posted a bug report to the orion bug list, or isn't it a bug? Have you found a workaround for your security needs, I'm thinking to write something myself but if you have already done this could you give some insight on how to do this ? Thanks in advance, Greetings Wim Veninga Dave Smith wrote: This has been a long running problem that I never received an answer to, despite much discussion on this list. wim veninga wrote: Hi all, I have created an set of Enterprise beans and in the assembly descriptor I have defined a set of roles that have some permissions to run methods ( in ejb-jar.xml). When I deploy the application and the modify orion-ejb-jar.xml to map the roles to different groups in the assembly descriptor and than re-start or re-deploy the application (using orionconsole.jar) orion overwrites the changes I've made in orion-ejb-jar.xml (see below for the deployment descriptors ejb-jar.xml, orion-ejb-jar.xml and orion-ejb-jar.xml after re-starting/re-deploying). Has anybody done this in orion (with ejb 2.0 on orion 1.2.0) ? If so can you sent me the deployment descriptors ? Have I made an error ? (The groups are defined in principals.xml and the role-mappings aren't being overwritten in orion-application.xml). Does the default-method-acces tag in orion-ejb-jar.xml means that all the methods that aren't tied to a method permission in ejb-jar.xml can be called by the group/user and that all the methods that are can't be called ? Thanks in advance, Greetings Wim Veninga In ejb-jar.xml: ?xml version="1.0"?> !DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN" "http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd"> !-- KOZIJNCALC BEANS --> ejb-jar> description>The deployment descriptor for the com.fnv.kozijncalc beans/description> enterprise-beans> entity> description>/description> ejb-name>Klant/ejb-name> home>com.fnv.kozijncalc.entities.klanten.KlantHome/home> remote>com.fnv.kozijncalc.entities.klanten.Klant/remote> ejb-class>com.fnv.kozijncalc.entities.klanten.KlantEJB/ejb-class> persistence-type>Container/persistence-type> prim-key-class>java.lang.Integer/prim-key-class> reentrant>False/reentrant> cmp-field>field-name>klantNr/field-name>/cmp-field> cmp-field>field-name>klantNaam/field-name>/cmp-field> cmp-field>field-name>klantAdres/field-name>/cmp-field> cmp-field>field-name>klantPostcode/field-name>/cmp-field> cmp-field>field-name>klantPlaats/field-name>/cmp-field> cmp-field>field-name>klantLand/field-name>/cmp-field> cmp-field>field-name>klantTelefoon/field-name>/cmp-field> cmp-field>field-name>klantContactPersoon/field-name>/cmp-field> primkey-field>klantNr/primkey-field> /entity> session> ejb-name>KlantSession/ejb-name> home>com.fnv.kozijncalc.sessions.klanten.KlantSessionHome/home> remote>com.fnv.kozijncalc.sessions.klanten.KlantSession/remote> ejb-class>com.fnv.kozijncalc.sessions.klanten.KlantSessionBean/ejb-class> session-type>Stateless/session-type> transaction-type>Container/transaction-type> ejb-ref> ejb-ref-name>kozijn/ejb/KlantHome/ejb-ref-name> ejb-ref-type>Entity/ejb-ref-type> home>com.fnv.kozijncalc.entities.klanten.KlantHome/home> remote>com.fnv.kozijncalc.entities.klanten.Klant/remote> ejb-link>Klant/ejb-link> /ejb-ref> /session> /enterprise-beans> assembly-descriptor> !-- Security roles --> security-role> role-name>calculator/role-name> /security-role> security-role> role-name>hoofd_calculator/role-name> /security-role> security-role> role-name>werkvoorbereiding/role-name> /security-role> !-- The method permissions that the different roles have to call methods --> !-- The method permissions for the werkvoorbereiding role, currently not any methods--> method-permission> role-name>werkvoorbereiding/role-name> /method-permission> !-- The calculator method permissions --> method-permission> description>The permissions of the calculator role/description> role-name>calculator/role-name> method> description>The permissions for the klant entity bean remote/description> ejb-name>Klant/ejb-name> method-intf>Remote/method-intf> method-name>*/method-name> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findAll/method-name> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findByKlantNaam/method-name> method-params> method-param>java.lang.String/method-param> /method-params> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findByPrimaryKey/method-name> method-params> method-param>java.lang.Integer/method-param> /method-params> /method> method> description>The permissions for the klant session bean /description> ejb-name>KlantSession/ejb-name>
Re: Help: Mapping roles to users.
Hello Dave and others, we'll post some better explanation on this soon, but until then, have you gotten the ATM to work with the user management? It is a good example of using roles and users in Orion Regards, Karl Avedal Dave Smith wrote: This has been a long running problem that I never received an answer to, despite much discussion on this list. wim veninga wrote: Hi all, I have created an set of Enterprise beans and in the assembly descriptor I have defined a set of roles that have some permissions to run methods ( in ejb-jar.xml). When I deploy the application and the modify orion-ejb-jar.xml to map the roles to different groups in the assembly descriptor and than re-start or re-deploy the application (using orionconsole.jar) orion overwrites the changes I've made in orion-ejb-jar.xml (see below for the deployment descriptors ejb-jar.xml, orion-ejb-jar.xml and orion-ejb-jar.xml after re-starting/re-deploying). Has anybody done this in orion (with ejb 2.0 on orion 1.2.0) ? If so can you sent me the deployment descriptors ? Have I made an error ? (The groups are defined in principals.xml and the role-mappings aren't being overwritten in orion-application.xml). Does the default-method-acces tag in orion-ejb-jar.xml means that all the methods that aren't tied to a method permission in ejb-jar.xml can be called by the group/user and that all the methods that are can't be called ? Thanks in advance, Greetings Wim Veninga In ejb-jar.xml: ?xml version="1.0"? !DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN" "http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd" !-- KOZIJNCALC BEANS -- ejb-jar descriptionThe deployment descriptor for the com.fnv.kozijncalc beans/description enterprise-beans entity description/description ejb-nameKlant/ejb-name homecom.fnv.kozijncalc.entities.klanten.KlantHome/home remotecom.fnv.kozijncalc.entities.klanten.Klant/remote ejb-classcom.fnv.kozijncalc.entities.klanten.KlantEJB/ejb-class persistence-typeContainer/persistence-type prim-key-classjava.lang.Integer/prim-key-class reentrantFalse/reentrant cmp-fieldfield-nameklantNr/field-name/cmp-field cmp-fieldfield-nameklantNaam/field-name/cmp-field cmp-fieldfield-nameklantAdres/field-name/cmp-field cmp-fieldfield-nameklantPostcode/field-name/cmp-field cmp-fieldfield-nameklantPlaats/field-name/cmp-field cmp-fieldfield-nameklantLand/field-name/cmp-field cmp-fieldfield-nameklantTelefoon/field-name/cmp-field cmp-fieldfield-nameklantContactPersoon/field-name/cmp-field primkey-fieldklantNr/primkey-field /entity session ejb-nameKlantSession/ejb-name homecom.fnv.kozijncalc.sessions.klanten.KlantSessionHome/home remotecom.fnv.kozijncalc.sessions.klanten.KlantSession/remote ejb-classcom.fnv.kozijncalc.sessions.klanten.KlantSessionBean/ejb-class session-typeStateless/session-type transaction-typeContainer/transaction-type ejb-ref ejb-ref-namekozijn/ejb/KlantHome/ejb-ref-name ejb-ref-typeEntity/ejb-ref-type homecom.fnv.kozijncalc.entities.klanten.KlantHome/home remotecom.fnv.kozijncalc.entities.klanten.Klant/remote ejb-linkKlant/ejb-link /ejb-ref /session /enterprise-beans assembly-descriptor !-- Security roles -- security-role role-namecalculator/role-name /security-role security-role role-namehoofd_calculator/role-name /security-role security-role role-namewerkvoorbereiding/role-name /security-role !-- The method permissions that the different roles have to call methods -- !-- The method permissions for the werkvoorbereiding role, currently not any methods-- method-permission role-namewerkvoorbereiding/role-name /method-permission !-- The calculator method permissions -- method-permission descriptionThe permissions of the calculator role/description role-namecalculator/role-name method descriptionThe permissions for the klant entity bean remote/description ejb-nameKlant/ejb-name method-intfRemote/method-intf method-name*/method-name /method method descriptionA permission for the klant entity bean home/description ejb-nameKlant/ejb-name method-intfHome/method-intf method-namefindAll/method-name /method method descriptionA permission for the klant entity bean home/description ejb-nameKlant/ejb-name method-intfHome/method-intf method-namefindByKlantNaam/method-name method-params method-paramjava.lang.String/method-param /method-params /method method
Re: Help: Mapping roles to users.
Hi Karl, I find the ATM code is very confusing. It uses the security role name "users", and the config/principals.xml file defines a group named "users", and apparently these two concepts are magically united. Where is the group assigned to the role? How does the atm's own principals.xml fit in to the scheme? To try to answer these questions I assembled the smallest and simplest application I could think of (attached). I am fairly convinced that it demonstrates a bug in the security mechanism in orion. (And I have reported this, but not the extra information that I have just discovered - see below). The application contains one very simple stateless session EJB which delivers a "hello world" message. All of the methods are defined to be accessible to the "TestRole". The orion-application.xml assigns the "TestGroup" to the "TestRole". The principals.xml defines the "TestGroup" and a user named "nick" with password "newman" who is in the "TestGroup" (and hence in the "TestRole"). The application also contains two jsp pages, which are also made accessible to the "TestRole". The first page prints request.getRemoteUser() (which displays "nick") and request.isUserInRole("TestRole") (which displays "true"). This works as expected, and tends to suggest the mappings work. The second page tries to print the message from the session bean, but the access is denied ("nick is not allowed to call the ejb/Hello.create(...) method") After MUCH frustration and experimentation I have just found that if the ejb-jar.xml file is changed to set the role-name to TestGroup (not TestRole!) then access is granted. (You may have to delete the orion-ejb-jar.xml to get rid of existing references to TestRole before deploying). Surely access should be granted in terms of roles, not groups? Thanks, Nick Newman, SCIENTECH Inc At 05:11 PM 8/18/00 +0200, you wrote: Hello Dave and others, we'll post some better explanation on this soon, but until then, have you gotten the ATM to work with the user management? It is a good example of using roles and users in Orion Regards, Karl Avedal Dave Smith wrote: This has been a long running problem that I never received an answer to, despite much discussion on this list. SecurityBug.ear
RE: Help: Mapping roles to users.
This week I only have 11am EST (8am here in California) open Mark LussierChief Software ArchitectGE Power Systems eBusinessDC 8*433-2232 -Original Message-From: wim veninga [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 17, 2000 11:05 AMTo: Orion-InterestSubject: Help: Mapping roles to users.Hi all, I have created an set of Enterprise beans and in the assembly descriptor I have defined a set of roles that have some permissions to run methods ( in ejb-jar.xml). When I deploy the application and the modify orion-ejb-jar.xml to map the roles to different groups in the assembly descriptor and than re-start or re-deploy the application (using orionconsole.jar) orion overwrites the changes I've made in orion-ejb-jar.xml (see below for the deployment descriptors ejb-jar.xml, orion-ejb-jar.xml and orion-ejb-jar.xml after re-starting/re-deploying). Has anybody done this in orion (with ejb 2.0 on orion 1.2.0) ? If so can you sent me the deployment descriptors ? Have I made an error ? (The groups are defined in principals.xml and the role-mappings aren't being overwritten in orion-application.xml). Does the default-method-acces tag in orion-ejb-jar.xml means that all the methods that aren't tied to a method permission in ejb-jar.xml can be called by the group/user and that all the methods that are can't be called ? Thanks in advance, Greetings Wim Veninga In ejb-jar.xml: ?xml version="1.0"? !DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN" "http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd" !-- KOZIJNCALC BEANS -- ejb-jar descriptionThe deployment descriptor for the com.fnv.kozijncalc beans/description enterprise-beans entity description/description ejb-nameKlant/ejb-name homecom.fnv.kozijncalc.entities.klanten.KlantHome/home remotecom.fnv.kozijncalc.entities.klanten.Klant/remote ejb-classcom.fnv.kozijncalc.entities.klanten.KlantEJB/ejb-class persistence-typeContainer/persistence-type prim-key-classjava.lang.Integer/prim-key-class reentrantFalse/reentrant cmp-fieldfield-nameklantNr/field-name/cmp-field cmp-fieldfield-nameklantNaam/field-name/cmp-field cmp-fieldfield-nameklantAdres/field-name/cmp-field cmp-fieldfield-nameklantPostcode/field-name/cmp-field cmp-fieldfield-nameklantPlaats/field-name/cmp-field cmp-fieldfield-nameklantLand/field-name/cmp-field cmp-fieldfield-nameklantTelefoon/field-name/cmp-field cmp-fieldfield-nameklantContactPersoon/field-name/cmp-field primkey-fieldklantNr/primkey-field /entity session ejb-nameKlantSession/ejb-name homecom.fnv.kozijncalc.sessions.klanten.KlantSessionHome/home remotecom.fnv.kozijncalc.sessions.klanten.KlantSession/remote ejb-classcom.fnv.kozijncalc.sessions.klanten.KlantSessionBean/ejb-class session-typeStateless/session-type transaction-typeContainer/transaction-type ejb-ref ejb-ref-namekozijn/ejb/KlantHome/ejb-ref-name ejb-ref-typeEntity/ejb-ref-type homecom.fnv.kozijncalc.entities.klanten.KlantHome/home remotecom.fnv.kozijncalc.entities.klanten.Klant/remote ejb-linkKlant/ejb-link /ejb-ref /session /enterprise-beans assembly-descriptor !-- Security roles -- security-role role-namecalculator/role-name /security-role security-role role-namehoofd_calculator/role-name /security-role security-role role-namewerkvoorbereiding/role-name /security-role !-- The method permissions that the different roles have to call methods -- !-- The method permissions for the werkvoorbereiding role, currently not any methods-- method-permission role-namewerkvoorbereiding/role-name /method-permission !-- The calculator method permissions -- method-permission descriptionThe permissions of the calculator role/description role-namecalculator/role-name method descriptionThe permissions for the klant entity bean remote/description ejb-nameKlant/ejb-name method-intfRemote/method-intf method-name*/method-name /method method descriptionA permission for the klant entity bean home/description ejb-nameKlant/ejb-name method-intfHome/method-intf method-namefindAll/method-name /method method descriptionA permission for the klant entity bean home/description ejb-nameKlant/ejb-name method-intfHome/method-intf method-namefindByKlantNaam/method-name method-params method-paramjava.lang.String/method-param /method-params /method method descriptionA permission for the klant entity bean home/description ejb-nameKlant/ejb-name method-intfHome/method-intf method-namefindByPrimaryKey/method-name
Re: Help: Mapping roles to users.
This has been a long running problem that I never received an answer to, despite much discussion on this list. wim veninga wrote: Hi all, I have created an set of Enterprise beans and in the assembly descriptor I have defined a set of roles that have some permissions to run methods ( in ejb-jar.xml). When I deploy the application and the modify orion-ejb-jar.xml to map the roles to different groups in the assembly descriptor and than re-start or re-deploy the application (using orionconsole.jar) orion overwrites the changes I've made in orion-ejb-jar.xml (see below for the deployment descriptors ejb-jar.xml, orion-ejb-jar.xml and orion-ejb-jar.xml after re-starting/re-deploying). Has anybody done this in orion (with ejb 2.0 on orion 1.2.0) ? If so can you sent me the deployment descriptors ? Have I made an error ? (The groups are defined in principals.xml and the role-mappings aren't being overwritten in orion-application.xml). Does the default-method-acces tag in orion-ejb-jar.xml means that all the methods that aren't tied to a method permission in ejb-jar.xml can be called by the group/user and that all the methods that are can't be called ? Thanks in advance, Greetings Wim Veninga In ejb-jar.xml: ?xml version="1.0"?> !DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN" "http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd"> !-- KOZIJNCALC BEANS --> ejb-jar> description>The deployment descriptor for the com.fnv.kozijncalc beans/description> enterprise-beans> entity> description>/description> ejb-name>Klant/ejb-name> home>com.fnv.kozijncalc.entities.klanten.KlantHome/home> remote>com.fnv.kozijncalc.entities.klanten.Klant/remote> ejb-class>com.fnv.kozijncalc.entities.klanten.KlantEJB/ejb-class> persistence-type>Container/persistence-type> prim-key-class>java.lang.Integer/prim-key-class> reentrant>False/reentrant> cmp-field>field-name>klantNr/field-name>/cmp-field> cmp-field>field-name>klantNaam/field-name>/cmp-field> cmp-field>field-name>klantAdres/field-name>/cmp-field> cmp-field>field-name>klantPostcode/field-name>/cmp-field> cmp-field>field-name>klantPlaats/field-name>/cmp-field> cmp-field>field-name>klantLand/field-name>/cmp-field> cmp-field>field-name>klantTelefoon/field-name>/cmp-field> cmp-field>field-name>klantContactPersoon/field-name>/cmp-field> primkey-field>klantNr/primkey-field> /entity> session> ejb-name>KlantSession/ejb-name> home>com.fnv.kozijncalc.sessions.klanten.KlantSessionHome/home> remote>com.fnv.kozijncalc.sessions.klanten.KlantSession/remote> ejb-class>com.fnv.kozijncalc.sessions.klanten.KlantSessionBean/ejb-class> session-type>Stateless/session-type> transaction-type>Container/transaction-type> ejb-ref> ejb-ref-name>kozijn/ejb/KlantHome/ejb-ref-name> ejb-ref-type>Entity/ejb-ref-type> home>com.fnv.kozijncalc.entities.klanten.KlantHome/home> remote>com.fnv.kozijncalc.entities.klanten.Klant/remote> ejb-link>Klant/ejb-link> /ejb-ref> /session> /enterprise-beans> assembly-descriptor> !-- Security roles --> security-role> role-name>calculator/role-name> /security-role> security-role> role-name>hoofd_calculator/role-name> /security-role> security-role> role-name>werkvoorbereiding/role-name> /security-role> !-- The method permissions that the different roles have to call methods --> !-- The method permissions for the werkvoorbereiding role, currently not any methods--> method-permission> role-name>werkvoorbereiding/role-name> /method-permission> !-- The calculator method permissions --> method-permission> description>The permissions of the calculator role/description> role-name>calculator/role-name> method> description>The permissions for the klant entity bean remote/description> ejb-name>Klant/ejb-name> method-intf>Remote/method-intf> method-name>*/method-name> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findAll/method-name> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findByKlantNaam/method-name> method-params> method-param>java.lang.String/method-param> /method-params> /method> method> description>A permission for the klant entity bean home/description> ejb-name>Klant/ejb-name> method-intf>Home/method-intf> method-name>findByPrimaryKey/method-name> method-params> method-param>java.lang.Integer/method-param> /method-params> /method> method> description>The permissions for the klant session bean /description> ejb-name>KlantSession/ejb-name> method-name>create/method-name> /method> method> description>The permissions for the klant session bean /description> ejb-name>KlantSession/ejb-name> method-name>findAllKlanten/method-name> /method> /method-permission> !-- The hoofd calculator method permissions --> method-permission> description>The permissions of