[JBoss-user] [Security & JAAS/JBoss] - NEED HELP : Declarative authorization doesn't work

Mon, 26 Jun 2006 01:26:15 -0700 

I try declarative authorization limit but it doesn't work. JBOSS is 4.0.4.GA.

I use FORM authentification and call stateless sesssion bean via servlet.

The users and roles are set by DatabaseServerLoginModule.

The users are

mysql> select * from users;
+----------+----------+
| username | passwd   |
+----------+----------+
| user1    | password |
| user2    | password |
| user3    | password |
| manager  | password |
+----------+----------+


mysql> select * from userroles;
+----------+-----------+
| username | userRoles |
+----------+-----------+
| user1    | user      |
| user2    | user      |
| user3    | user      |
| manager  | admin     |
+----------+-----------+

The propgram is tiny one.

The method multi is allowed only "user" role.
The method plus is allowed only "admin" role.
The method minus is allowed any role.

I executed program but manager is able to execute multi. And user1 is able to 
execute plus.
No message comes from JBOSS.


  | package security.sample;
  | 
  | import java.security.Principal;
  | 
  | import javax.annotation.Resource;
  | import javax.annotation.security.PermitAll;
  | import javax.annotation.security.RolesAllowed;
  | import javax.ejb.SessionContext;
  | import javax.ejb.Stateless;
  | 
  | 
  | @Stateless
  | public class CalculatorBean implements Calculator {
  | 
  |     @Resource SessionContext ctx;
  |     
  |     @RolesAllowed("user")
  |     public int multi(int value1, int value2) {
  |             checkUser("multi");
  |             return value1 * value2;
  |     }
  |     
  |     @RolesAllowed("admin")
  |     public int plus(int value1, int value2) {
  |             checkUser("plus");
  |             return value1 + value2;
  |     }
  |     
  |     
  |     @PermitAll
  |     public int minus(int value1, int value2) {
  |             checkUser("minus");
  |             return value1 - value2;
  |     }
  |     
  |     private void checkUser(String methodName) {
  |             System.out.println("method:" + methodName);
  |             Principal caller = ctx.getCallerPrincipal();
  |             String name = caller.getName();
  |             System.out.println("name:" + name);
  | 
  | 
  |     }
  | }
  | 
  | 

Does anyone check declarative authorization ?

Could you give me advices?

Susumu


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3953361#3953361

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3953361

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to