I have a small problem with security, which I'm testing now.
I'm working with JBoss 3.0.6 and J2SE 1.4.1_02. My ejb-jar.xml looks so:
<ejb-jar>
<enterprise-beans>
<entity>
<display-name>Language Entity Bean</display-name>
<ejb-name>LanguageBean</ejb-name>
<local-home>de.polonium.ejb.language.entitybeans.LanguageLocalHome</local-home>
<local>de.polonium.ejb.language.entitybeans.LanguageLocal</local>
<ejb-class>de.polonium.ejb.language.entitybeans.LanguageBean</ejb-class>
<persistence-type>Container</persistence-type>
<prim-key-class>java.lang.Integer</prim-key-class>
<reentrant>False</reentrant>
<cmp-version>2.x</cmp-version>
<abstract-schema-name>language</abstract-schema-name>
<cmp-field><field-name>language_id</field-name></cmp-field>
<cmp-field><field-name>lang_short</field-name></cmp-field>
<cmp-field><field-name>lang_long</field-name></cmp-field>
<primkey-field>language_id</primkey-field>
<security-identity>
<use-caller-identity/>
</security-identity>
<query>
...
</query>
</entity><session>
<display-name>Language Facade Stateless Session Bean</display-name>
<ejb-name>LanguageFacade</ejb-name>
<local-home>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocalHome</local-home>
<local>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocal</local>
<ejb-class>de.polonium.ejb.language.sessionbeans.LanguageFacade</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>demo</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-description>
<security-role>
<role-name>mmcms</role-name>
</security-role> <security-role>
<role-name>demo</role-name>
</security-role> <method-permission>
<role-name>mmcms</role-name>
<method>
<ejb-name>LanguageBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission> <method-permission>
<role-name>demo</role-name>
<method>
<ejb-name>LanguageFacade</ejb-name>
<method-name>*</method-name>
</method>
</method-permission> <container-transaction>
<method>
<ejb-name>LanguageBean</ejb-name>
<method-name>*</method-name>
</method> <method>
<ejb-name>LanguageFacade</ejb-name>
<method-name>*</method-name>
</method>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-description>
</ejb-jar>My client is calling LanguageFacade which is run as 'demo' (only for testing). LanguageFacade implements getAllLanguages() as:
public List getAllLanguages() {
logger.debug("getAllLanguages() entered");try {
ServiceLocator serviceLocator = ServiceLocator.getInstance();
LanguageLocalHome languageHome = (LanguageLocalHome) serviceLocator.getLocalHome(JNDINamesLanguage.LANGUAGE_EJB);
Collection languageCollection = languageHome.findAll();
if (languageCollection != null) {
ArrayList languages = new ArrayList(); Iterator iterator = languageCollection.iterator();
while (iterator.hasNext()) {
LanguageLocal language = (LanguageLocal) iterator.next();
languages.add(language.getMetaData());
} return languages;
}
else {
logger.warn("getAllLanguages() language table is empty");
return null;
}
}
catch (ServiceLocatorException sle) {
logger.fatal("getAllLanguages() failed", sle);
}
catch (FinderException fe) {
logger.fatal("getAllLanguages() failed", fe);
} return null;
}I get than all entries from Language Entity Bean. But why? Using Language Entity Bean is allowed only as 'mmcms' role. And caller role is 'demo'.
Best Regards, Rafal
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
