Hello all.
In our project we are using EJB 2.1 and I am trying to write security
tests to check that user with specific role is able to execute such ejb
method.
After 2 days looking through examples/docs I started them successfully.
But found strange behaviour in security tests.
I have a test user 'user1' which has 1 role 'Role2'.
piece of ejb-jar.xml file :
<method-permission>
<role-name>Role1</role-name>
<method>
<ejb-name>TradeEvent</ejb-name>
<method-name>rebuildEventMessage</method-name>
</method>
</method-permission>
<method-permission>
<role-name>Role2</role-name>
<method>
<ejb-name>TradeEvent</ejb-name>
<method-name>rebuildEventMessage</method-name>
</method>
</method-permission>
if I run my test with such sequence of method-permission nodes, 'Role2'
declared after Role1. Test works fine.
but if I put method-permission for Role1 after Role2 (just change
sequnce of declaration) in ejb-jar.xml test fail with 'Access denied'
if I grant Role1 to user test works again.
This is seems like a bug for me. Only latest declaration for bean is
working.
Could anyone please suggest something ?
Best regards
Alexey Dranchuk
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.
UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.
