I'm trying to call an EJB with security annotations set on it, but only some of
them work properly. Here is the EJB that I have:
| @SecurityDomain("simple-security-domain")
| @RolesAllowed( { "bank-manager", "teller" })
| @Stateless
| public class StatelessCalculatorBean implements Calculator,
CalculatorRemote {
|
| @EJB(beanName = "InterestRateMBean")
| private InterestRateManager interstRateManager;
|
| public double calculateTotalInterest(double presentValue, int years) {
| return calculateFutureValue(presentValue, years) - presentValue;
| }
|
| @RolesAllowed("teller")
| public double calculateFutureValue(double presentValue, int years) {
| double interestRate = interstRateManager.getInterestRate() /
100;
| return presentValue * Math.pow((1.0 + interestRate), years);
| }
|
| @RolesAllowed("bank-manager")
| public double getInterestRate() {
| return interstRateManager.getInterestRate();
| }
|
| @DenyAll
| public String getTheAnswerToLifeTheUniverseAndEverything() {
| return "42";
| }
|
| @PermitAll
| public String freeForAll() {
| return "You're in!";
| }
|
| }
Here are my roles:
| admin=bank-manager,teller
| bank-manager=bank-manager
| teller=teller
| joe=customer
|
Here is what happens when I try to access the various methods from a standalone
client:
| --------------------------------------------
| User: admin, Roles: bank-manager, teller
| --------------------------------------------
| admin could call calculateFutureValue (requires 'teller')
| admin could call calculateTotalInterest (requires 'bank-manager' or
'teller')
| admin could call getInterestRate (requires 'bank-manager')
| admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) -
Caller unauthorized
| admin could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: bank-manager, Roles: bank-manager
| --------------------------------------------
| bank-manager could not call calculateFutureValue (requires 'teller') -
Caller unauthorized
| bank-manager could call calculateTotalInterest (requires 'bank-manager' or
'teller')
| bank-manager could call getInterestRate (requires 'bank-manager')
| bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything
(DenyAll) - Caller unauthorized
| bank-manager could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: teller, Roles: teller
| --------------------------------------------
| teller could call calculateFutureValue (requires 'teller')
| teller could call calculateTotalInterest (requires 'bank-manager' or
'teller')
| teller could not call getInterestRate (requires 'bank-manager') - Caller
unauthorized
| teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll)
- Caller unauthorized
| teller could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: joe, Roles: customer
| --------------------------------------------
| joe could not call calculateFutureValue (requires 'teller') - Caller
unauthorized
| joe could call calculateTotalInterest (requires 'bank-manager' or 'teller')
| joe could not call getInterestRate (requires 'bank-manager') - Caller
unauthorized
| joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) -
Caller unauthorized
| joe could not call freeForAll (PermitAll) - Caller unauthorized
|
There are two problems (bugs?):
1) Permit all does not work for any of the roles
2) From my understanding, the class-level @RolesAllowed annotation should apply
to all the methods that don't override this with their own method-level
@RolesAllowed annotation. As seen in the output above, everybody was able to
access calculateTotalInterest() even though only bank-manager and teller were
supposed to have access.
Has anybody else encountered this? I'll be glad to open a JIRA issue if these
are bugs.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4123579#4123579
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4123579
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
