I'm currently rewriting an EJB security course and I'm having an
"enterprisy" question for the EJB connoisseurs out there. :-)
I've written a basic example showing the problem. What happens is
counterintuitive but maybe it's the way it is meant to work.
MY QUESTION: Is this the way it is meant to work ? If so, can somebody
direct me to a resource/article/... explaining this ?
MANY thanks !!!
Jan
==============================================
*Consider the session bean*
@Session
@DenyAll
@DeclareRoles({"god","mortal"})
class Knowledge {
@PermitAll
public String commonKnowledge() {
String response = "Belgian chocolate is best ! ";
response += secretKnowledge(); *<<< call to this method is NOT blocked
for a "mortal" user !!*
return response;
}
@RolesAllowed({"admin"})
public String secretKnowledge() {
return "The meaning of everything is 42";
}
}
When calling both methods with a "mortal" user, only the call to the second
method is blocked. The call to the first completes without error. Although
one would expect it to block too as it is accessing a method requiring the
"god" role. At first sight, only the very first method call is guarded. It's
on GlassFish 3.1 btw...
--
You received this message because you are subscribed to the Google Groups "The
Java Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
