[
https://issues.apache.org/jira/browse/GERONIMO-5137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12836498#action_12836498
]
Forrest Xia commented on GERONIMO-5137:
---------------------------------------
In the DataCDInfo sample, there are two session bean definitions for
DataCDInfoAdmin bean:
1. One is defined via ejb-jar.xml, named as "ejb/DataCDInfoAdmin", the JNDI
name is "DataCDInfo-JTA-ejb.jar/ejb/DataCDInfoAdmin"
2. The other is defined via annotation in code, no name property specified, so
the G server assign a default jndi name "DataCDInfo-JTA-ejb.jar/DataCDInfoAdmin"
In G 2.1.4, the container injects #2 to the servlet, while in G 2.2, it injects
#1. That causes G 2.1.4 seems not support security configuration overriding. So
the question is what mechanism the G server is using to inject EJB object in a
servlet? Where can I learn more about this?
I am trying to learning around this, but hope any top gun could shed a light on
this. That would be very appreciated!
> EJB security config in ejb-jar.xml does not override the ones defined via
> security annotations
> ----------------------------------------------------------------------------------------------
>
> Key: GERONIMO-5137
> URL: https://issues.apache.org/jira/browse/GERONIMO-5137
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB
> Affects Versions: 2.1.5
> Reporter: Forrest Xia
>
> Tried the DataCDInfo sample on G 2.1.4 and 2.1 branch, and found these EJB
> security settings in ejb-jar.xml does not override the ones defined in code
> via annotations.
> Here is the definition in ejb-jar.xml:
> <assembly-descriptor>
> <method-permission>
> <role-name>superadmin</role-name>
> <method>
> <ejb-name>ejb/DataCDInfoAdmin</ejb-name>
> <method-name>*</method-name>
> </method>
> </method-permission>
> <!-- In code, role "admin" only has right to access
> listOwners method
> but via this xml definition, the role could
> also access listAllDataCDs method -->
> <method-permission>
> <role-name>admin</role-name>
> <method>
> <ejb-name>ejb/DataCDInfoAdmin</ejb-name>
>
> <method-name>listAllDataCDs</method-name>
>
> </method>
> </method-permission>
> </assembly-descriptor>
> Here is the definition in code:
> @RolesAllowed("superadmin")
> public String findpasswd(String username) {
> ...
> }
>
> @RolesAllowed("superadmin")
> public String[] listAllDataCDs() {
> ...
> }
>
> @RolesAllowed({"admin","superadmin"})
> public String[] listOwners() {
> ...
> }
> According to the definition in ejb-jar.xml, the role "admin" should be able
> to access two methods: listOwners and listAllDataCDs, but in geronimo 2.1.4
> and 2.1 branch, it can only access listOwners.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
