On Fri, Oct 17, 2008 at 12:47 PM, David Jencks <[EMAIL PROTECTED]>wrote:
>
> On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
>
> I have a stateless bean BankBean1 as given below:
>>
>> @Stateless
>> @DeclareRoles(value = {"bank", "customer"})
>> public class BankBean1 implements Bank {
>>
>> @RolesAllowed({"customer", "bank"})
>> public Double getBalance(Integer account) {
>> return data.get(account);
>> }
>>
>> @RolesAllowed({"bank"})
>> public Double creditAccount(Integer account, Double amt) {
>> ...
>> return value;
>> }
>>
>> @RolesAllowed({"bank"})
>> public Double debitAccount(Integer account, Double amt) {
>> ...
>> return value;
>> }
>> }
>>
>> I have a second stateless bean BankBean2 that has a reference injected to
>> BankBean1 and uses @RunAs as given below:
>> @Stateless
>> @DeclareRoles(value = {"bank", "customer"})
>> @RunAs(value = "bank")
>> public class BankBean2 implements Bank2 {
>>
>> @EJB
>> private Bank bank; // BankBean1 gets injected here.
>>
>> public Double getBalance(Integer account) {
>> return bank.getBalance(account);
>> }
>>
>> public Double creditAccount(Integer account, Double amt) {
>> return bank.creditAccount(account, amt);
>> }
>>
>> public Double debitAccount(Integer account, Double amt) {
>> return bank.debitAccount(account, amt);
>> }
>> }
>>
>> In the security mapping in openejb-jar.xml, if I specify a run-as-subject
>> for "bank" role, BankBean2 is able to invoke BankBean1 as per that
>> run-as-subject specified. But if I don't specify a run-as-subject, but only
>> use a default-subject, BankBean2 is unable to invoke BankBean1 as per the
>> default-subject specified. I guess the default-subject is being ignored.
>> This is not the case with run-as-subject and default-subject used in
>> geronimo-web.xml. In the absence of run-as-subject I notice that
>> default-subject is used. I am wondering how the default-subject is used in
>> ejb security.
>>
>
> What is the default-subject you have specified? I'd expect it would be
> used if no run-as subject is specified for the role.
I tried a default-subject that maps to "customer" role and also a
default-subject that maps to "bank" role. When I specify the run-as-subject
the BankBean1 invocation is happening as per that subject i.e. when the
subject contains a principal that maps to the "bank" role all methods are
accessible and when the subject contains a principal that maps to "customer"
role only getBalance() method is accessible. If I remove the run-as-subject
and put the same as default-subject, none of the methods are accessible.
> If you are trying to tell us that you have specified a default subject
> with a principal that maps to the "bank" role and you still can't access the
> BankBean1 then I think you've found a bug.... jira time :-)
Yes, the methods are not accessible even when the default-subject has a
principal that maps to "bank" role. I will create a JIRA and upload the
test sample.
>
>
> Note that our security system requires some extra configuration for the
> run-as role to actually work, you need to specify a subject corresponding to
> the run-as role. You are expected to assure that some principal in this
> subject actually maps to the run-as role but this is not enfforced.
This has been taken care. I am using SimpleCredentialStoreImpl to create a
credential store and the credential-store-ref element in security element in
the deployment plan.
++Vamsi
>
>
> thanks
> david jencks
>
>
>> ++Vamsi
>>
>>
>
