Created GERONIMO-4367.
++Vamsi
On Fri, Oct 17, 2008 at 1:21 PM, Vamsavardhana Reddy <[EMAIL PROTECTED]>wrote:
>
>
> On Fri, Oct 17, 2008 at 12:47 PM, David Jencks <[EMAIL PROTECTED]>wrote:
>
>>
>> On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
>>
>> I have a stateless bean BankBean1 as given below:
>>>
>>> @Stateless
>>> @DeclareRoles(value = {"bank", "customer"})
>>> public class BankBean1 implements Bank {
>>>
>>> @RolesAllowed({"customer", "bank"})
>>> public Double getBalance(Integer account) {
>>> return data.get(account);
>>> }
>>>
>>> @RolesAllowed({"bank"})
>>> public Double creditAccount(Integer account, Double amt) {
>>> ...
>>> return value;
>>> }
>>>
>>> @RolesAllowed({"bank"})
>>> public Double debitAccount(Integer account, Double amt) {
>>> ...
>>> return value;
>>> }
>>> }
>>>
>>> I have a second stateless bean BankBean2 that has a reference injected to
>>> BankBean1 and uses @RunAs as given below:
>>> @Stateless
>>> @DeclareRoles(value = {"bank", "customer"})
>>> @RunAs(value = "bank")
>>> public class BankBean2 implements Bank2 {
>>>
>>> @EJB
>>> private Bank bank; // BankBean1 gets injected here.
>>>
>>> public Double getBalance(Integer account) {
>>> return bank.getBalance(account);
>>> }
>>>
>>> public Double creditAccount(Integer account, Double amt) {
>>> return bank.creditAccount(account, amt);
>>> }
>>>
>>> public Double debitAccount(Integer account, Double amt) {
>>> return bank.debitAccount(account, amt);
>>> }
>>> }
>>>
>>> In the security mapping in openejb-jar.xml, if I specify a run-as-subject
>>> for "bank" role, BankBean2 is able to invoke BankBean1 as per that
>>> run-as-subject specified. But if I don't specify a run-as-subject, but only
>>> use a default-subject, BankBean2 is unable to invoke BankBean1 as per the
>>> default-subject specified. I guess the default-subject is being ignored.
>>> This is not the case with run-as-subject and default-subject used in
>>> geronimo-web.xml. In the absence of run-as-subject I notice that
>>> default-subject is used. I am wondering how the default-subject is used in
>>> ejb security.
>>>
>>
>> What is the default-subject you have specified? I'd expect it would be
>> used if no run-as subject is specified for the role.
>
> I tried a default-subject that maps to "customer" role and also a
> default-subject that maps to "bank" role. When I specify the run-as-subject
> the BankBean1 invocation is happening as per that subject i.e. when the
> subject contains a principal that maps to the "bank" role all methods are
> accessible and when the subject contains a principal that maps to "customer"
> role only getBalance() method is accessible. If I remove the run-as-subject
> and put the same as default-subject, none of the methods are accessible.
>
>
>> If you are trying to tell us that you have specified a default subject
>> with a principal that maps to the "bank" role and you still can't access the
>> BankBean1 then I think you've found a bug.... jira time :-)
>
> Yes, the methods are not accessible even when the default-subject has a
> principal that maps to "bank" role. I will create a JIRA and upload the
> test sample.
>
>
>>
>>
>> Note that our security system requires some extra configuration for the
>> run-as role to actually work, you need to specify a subject corresponding to
>> the run-as role. You are expected to assure that some principal in this
>> subject actually maps to the run-as role but this is not enfforced.
>
> This has been taken care. I am using SimpleCredentialStoreImpl to create a
> credential store and the credential-store-ref element in security element in
> the deployment plan.
>
> ++Vamsi
>
>>
>>
>> thanks
>> david jencks
>>
>>
>>> ++Vamsi
>>>
>>>
>>
>
