[jira] Commented: (GERONIMO-5137) EJB security config in ejb-jar.xml does not override the ones defined via security annotations

Tue, 23 Mar 2010 18:44:54 -0700 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-5137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849008#action_12849008
 ] 

Rex Wang commented on GERONIMO-5137:
------------------------------------

This might be a bug of OpenEJB 3.0.2, could you test it in pure openejb's 
container and if it still exists, you can raise a bug there.
Thanks.

> EJB security config in ejb-jar.xml does not override the ones defined via 
> security annotations
> ----------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-5137
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5137
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: OpenEJB
>    Affects Versions: 2.1.5
>            Reporter: Forrest Xia
>
> Tried the DataCDInfo sample on G 2.1.4 and 2.1 branch, and found these EJB 
> security settings in ejb-jar.xml does not override the ones defined in code 
> via annotations.
> Here is the definition in ejb-jar.xml:
>       <assembly-descriptor>
>                       <method-permission>
>                               <role-name>superadmin</role-name>
>                               <method>
>                                       <ejb-name>ejb/DataCDInfoAdmin</ejb-name>
>                                       <method-name>*</method-name>
>                               </method>
>                       </method-permission>
>                       <!-- In code, role "admin" only has right to access 
> listOwners method
>                               but via this xml definition, the role could 
> also access listAllDataCDs method -->
>                       <method-permission>
>                               <role-name>admin</role-name>
>                               <method>
>                                       <ejb-name>ejb/DataCDInfoAdmin</ejb-name>
>                                       
> <method-name>listAllDataCDs</method-name>                                     
>   
>                               </method>
>                       </method-permission>
>       </assembly-descriptor>     
> Here is the definition in code:
>         @RolesAllowed("superadmin")
>       public String findpasswd(String username) {
>               ...
>       }
>     
>       @RolesAllowed("superadmin")
>       public String[] listAllDataCDs() {
>               ...
>       }
>       
>       @RolesAllowed({"admin","superadmin"})
>       public String[] listOwners() {
>               ...
>       }
> According to the definition in ejb-jar.xml, the role "admin" should be able 
> to access two methods: listOwners and listAllDataCDs, but in geronimo 2.1.4 
> and 2.1 branch, it can only access listOwners.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to