EJB security config in ejb-jar.xml does not override the ones defined via
security annotations
----------------------------------------------------------------------------------------------
Key: GERONIMO-5137
URL: https://issues.apache.org/jira/browse/GERONIMO-5137
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: OpenEJB
Affects Versions: 2.1.5
Reporter: Forrest Xia
Tried the DataCDInfo sample on G 2.1.4 and 2.1 branch, and found these EJB
security settings in ejb-jar.xml does not override the ones defined in code via
annotations.
Here is the definition in ejb-jar.xml:
<assembly-descriptor>
<method-permission>
<role-name>superadmin</role-name>
<method>
<ejb-name>ejb/DataCDInfoAdmin</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
<!-- In code, role "admin" only has right to access
listOwners method
but via this xml definition, the role could
also access listAllDataCDs method -->
<method-permission>
<role-name>admin</role-name>
<method>
<ejb-name>ejb/DataCDInfoAdmin</ejb-name>
<method-name>listAllDataCDs</method-name>
</method>
</method-permission>
</assembly-descriptor>
Here is the definition in code:
@RolesAllowed("superadmin")
public String findpasswd(String username) {
...
}
@RolesAllowed("superadmin")
public String[] listAllDataCDs() {
...
}
@RolesAllowed({"admin","superadmin"})
public String[] listOwners() {
...
}
According to the definition in ejb-jar.xml, the role "admin" should be able to
access two methods: listOwners and listAllDataCDs, but in geronimo 2.1.4 and
2.1 branch, it can only access listOwners.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
