Re: [The Java Posse] EJB security semantics ?

Mon, 26 Apr 2010 04:32:06 -0700 

On Mon, Apr 26, 2010 at 11:47 AM, Jan Goyvaerts <[email protected]>wrote:

> I'm currently rewriting an EJB security course and I'm having an
> "enterprisy" question for the EJB connoisseurs out there. :-)
>
> I've written a basic example showing the problem. What happens is
> counterintuitive but maybe it's the way it is meant to work.
>

You mean the compiler should enforce that methods called from your methods
only include other methods permissible to call from within the roles or
permissions declared?


>
> MY QUESTION: Is this the way it is meant to work ? If so, can somebody
> direct me to a resource/article/... explaining this ?
>
> MANY thanks !!!
>
> Jan
>
> ==============================================
>
> *Consider the session bean*
>
> @Session
> @DenyAll
> @DeclareRoles({"god","mortal"})
> class Knowledge {
>
>   @PermitAll
>   public String commonKnowledge() {
>     String response = "Belgian chocolate is best ! ";
>     response += secretKnowledge();  *<<< call to this method is NOT
> blocked for a "mortal" user !!*
>     return response;
>   }
>
>   @RolesAllowed({"admin"})
>   public String secretKnowledge() {
>     return "The meaning of everything is 42";
>   }
>
> }
>
> When calling both methods with a "mortal" user, only the call to the second
> method is blocked. The call to the first completes without error. Although
> one would expect it to block too as it is accessing a method requiring the
> "god" role. At first sight, only the very first method call is guarded. It's
> on GlassFish 3.1 btw...
>
>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<javaposse%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>



-- 
Viktor Klang
| "A complex system that works is invariably
| found to have evolved from a simple system
| that worked." - John Gall

Akka - the Actor Kernel: Akkasource.org
Twttr: twitter.com/viktorklang

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Reply via email to