I have a small problem with security, which I'm testing now.
I'm working with JBoss 3.0.6 and J2SE 1.4.1_02. My ejb-jar.xml looks so:
<ejb-jar> <enterprise-beans> <entity> <display-name>Language Entity Bean</display-name> <ejb-name>LanguageBean</ejb-name> <local-home>de.polonium.ejb.language.entitybeans.LanguageLocalHome</local-home> <local>de.polonium.ejb.language.entitybeans.LanguageLocal</local> <ejb-class>de.polonium.ejb.language.entitybeans.LanguageBean</ejb-class> <persistence-type>Container</persistence-type> <prim-key-class>java.lang.Integer</prim-key-class> <reentrant>False</reentrant> <cmp-version>2.x</cmp-version> <abstract-schema-name>language</abstract-schema-name> <cmp-field><field-name>language_id</field-name></cmp-field> <cmp-field><field-name>lang_short</field-name></cmp-field> <cmp-field><field-name>lang_long</field-name></cmp-field> <primkey-field>language_id</primkey-field> <security-identity> <use-caller-identity/> </security-identity> <query> ... </query> </entity>
<session>
<display-name>Language Facade Stateless Session Bean</display-name>
<ejb-name>LanguageFacade</ejb-name>
<local-home>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocalHome</local-home>
<local>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocal</local>
<ejb-class>de.polonium.ejb.language.sessionbeans.LanguageFacade</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>demo</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-description> <security-role> <role-name>mmcms</role-name> </security-role>
<security-role> <role-name>demo</role-name> </security-role>
<method-permission> <role-name>mmcms</role-name> <method> <ejb-name>LanguageBean</ejb-name> <method-name>*</method-name> </method> </method-permission>
<method-permission> <role-name>demo</role-name> <method> <ejb-name>LanguageFacade</ejb-name> <method-name>*</method-name> </method> </method-permission>
<container-transaction> <method> <ejb-name>LanguageBean</ejb-name> <method-name>*</method-name> </method>
<method> <ejb-name>LanguageFacade</ejb-name> <method-name>*</method-name> </method> <trans-attribute>Required</trans-attribute> </container-transaction> </assembly-description> </ejb-jar>
My client is calling LanguageFacade which is run as 'demo' (only for testing). LanguageFacade implements getAllLanguages() as:
public List getAllLanguages() { logger.debug("getAllLanguages() entered");
try {
ServiceLocator serviceLocator = ServiceLocator.getInstance();
LanguageLocalHome languageHome = (LanguageLocalHome) serviceLocator.getLocalHome(JNDINamesLanguage.LANGUAGE_EJB);
Collection languageCollection = languageHome.findAll();
if (languageCollection != null) { ArrayList languages = new ArrayList();
Iterator iterator = languageCollection.iterator(); while (iterator.hasNext()) { LanguageLocal language = (LanguageLocal) iterator.next(); languages.add(language.getMetaData()); }
return languages; } else { logger.warn("getAllLanguages() language table is empty"); return null; } } catch (ServiceLocatorException sle) { logger.fatal("getAllLanguages() failed", sle); } catch (FinderException fe) { logger.fatal("getAllLanguages() failed", fe); }
return null; }
I get than all entries from Language Entity Bean. But why? Using Language Entity Bean is allowed only as 'mmcms' role. And caller role is 'demo'.
Best Regards, Rafal
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user