Re: [JBoss-user] EJB Security

Sat, 23 Jun 2001 19:12:07 -0700 

> From what I've learned of security in EJB, if one EJB calls a method on
> another EJB, the Principal of the original call is propagated to the
> second one.
> 
> This seems problematic to me. For example, lets say we have an entity bean
> called EBean, and a session bean called SBean, and a user named John.
> 
> John calls a method on SBean, which calls a method on EBean. If John does
> not have access to that method on EBean, the call on SBean will eventually
> fail, right?
> 
Yes.

> So in order for John to call the method on SBean, he has to have access to
> the methods that SBean calls on EBean as well. Well, if he has access,
> then he can call those methods on EBean directly. But what if want to
> force him to go through your session beans rather than use the Entity
> beans to manipulate data directly? By utilizing his access to EBean, he
> could destroy the integrity of a relational database, right?
> 
Your thinking too specifically about "John" the principal. What matters is the
roles that "John" has been assigned. To call methods on SBean that call methods
on EBean the caller needs a role that both beans allow. In EJB 2.0 this has changed
a bit so see below.

> EJB 1.0, I read, has a "runas" attribute in it's deployment descriptor
> which was removed in EJB 1.1? It seems that this would be the solution to
> the problem, _if_ it still existed in 1.1. Then you just allow access to
> your Entity beans from a role named "internal", then have your deployed
> beans assume that "internal" role, thus giving deployed beans, but noone
> else, access to internal resources such as entity beans.
> 
That is right and EJB1.1 does not suppor this. The notion of runas was restored
in EJB2.0 using the security-identity/run-as element:
<enterprise-beans>

    ...

    <session>

        <ejb-name>EmployeeService</ejb-name>

        ...

        <security-identity>

            <run-as>

                <role-name>admin</role-name>

            </run-as>

        </security-identity>

    ...

    </session>

    ...

</enterprise-beans>

Support for this exists in the 2.4 beta of JBoss.



_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to