I am not sure if I express myself clearly in the last email. For example, in the ejb-jar.xml file, no method permission is defined, only some run as configuration, and in the geronimo's plan, a securiy configuration is defined. Before the changes I did, the builder checks whether there are method permission definitions in the ejb-jar.xml, if not, the builder would not create the JACC Manager for that configuration even if there is securiy configuration in the Geronmo's plan, which caused many cases failed for access denied. Thanks !
2009/6/10 David Jencks <[email protected]> > Hi Ivan, > On Jun 9, 2009, at 6:55 PM, Ivan wrote: > > Thanks, David, I have changed some codes about EJB security, for it made > some cases failed. Currently, I use whether securiy segment exists in the > deployment plan to decide that , JACC Manager is or not need to be created. > > > I think that's what we used to do and it is very wrong. It makes it too > easy to deploy an app without security you expect because you don't > understand how to write a geronimo plan. What we want is that if there are > security annotations in the ejbs or if security is configured in the > ejb-jar.xml spec deployment descriptor, then we require security > configuration in the geronimo plan and set up the JACC stuff. > > I thought I found all the tck tests that had security in the spec dd or > annotations and fixed the plans, but it's entirely possible I missed some. > We should add security config to the geronimo plans rather than allowing > decployment. > > thanks > david jencks > > > Ivan > > 2009/6/10 David Blevins <[email protected]> > >> >> On Jun 2, 2009, at 11:08 PM, Ivan wrote: >> >> 1. If there is no method-permission for an EJB in the ejb-jar.xml, >>> shall we still need a JACC Manager, which in it, we grant the all access >>> permissions ? >>> 2. When we will say that the EJBDeploymentGBean of an EJB is not >>> security-enabled. In the current codes, the value seems always set to true. >>> >> >> It seems both questions boil down to "if the user isn't using security, >> can we have security-enabled set to false?" IIRC, that's what we did. >> Though this part might have been changed along with David J's changes to >> make it so that an app with EJB method-permissions (or equivalent >> annotations) would fail on deployment if no security was setup. >> >> -David >> >> > > > -- > Ivan > > > -- Ivan
