The set of roles allowed to access a method is set in org.jboss.metadata.BeanMetaData
getMethodPermissions(String methodName, Class[] params, boolean remote). This method
is explictly nulling the returned set is it has no roles. It would seem that this
should be
dropped and an empty role set returned.
----- Original Message -----
From: "Alexander Klyubin" <[EMAIL PROTECTED]>
To: "jBoss Developer" <[EMAIL PROTECTED]>
Sent: Sunday, February 04, 2001 11:44 PM
Subject: [jBoss-Dev] SecurityInterceptor
> Hi!
>
> I stumbled upon a problem(?) with security once again. The problem is that
> SecurityInterceptor only checks permissions if method permissions (set of
> roles, who can call the method) are present (NOT null, at least one role is
> allows to call this method):
> "
> ..
> if (methodPermissions != null && !realmMapping.doesUserHaveRole( principal,
> methodPermissions ))
> ?^^^^^^^^^^^^^^^^^^^^^^^?
> {
> // should log illegal access
> throw new java.rmi.RemoteException("checkSecurityAssociation", new
> SecurityException("Illegal access exception"));
> }
> ..
> "
>
> My question is, why is this check for "null" required? According to the
> spec, if no roles are allowed to call a method, it cannot be called. This
> code, although, does allow. Can this be, that if method is not allowed to be
> called at all, methodPermissions set should be EMPTY, NOT NULL? In this
> case, the problem is elsewhere -- where this set is created.
>
> Alexander Klyubin
>
>
>
