hi,

I have a small problem with security, which I'm testing now.

I'm working with JBoss 3.0.6 and J2SE 1.4.1_02. My ejb-jar.xml looks so:

<ejb-jar>
    <enterprise-beans>
        <entity>
            <display-name>Language Entity Bean</display-name>
            <ejb-name>LanguageBean</ejb-name>
            
<local-home>de.polonium.ejb.language.entitybeans.LanguageLocalHome</local-home>
            <local>de.polonium.ejb.language.entitybeans.LanguageLocal</local>
            <ejb-class>de.polonium.ejb.language.entitybeans.LanguageBean</ejb-class>
            <persistence-type>Container</persistence-type>
            <prim-key-class>java.lang.Integer</prim-key-class>
            <reentrant>False</reentrant>
            <cmp-version>2.x</cmp-version>
            <abstract-schema-name>language</abstract-schema-name>
            <cmp-field><field-name>language_id</field-name></cmp-field>
            <cmp-field><field-name>lang_short</field-name></cmp-field>
            <cmp-field><field-name>lang_long</field-name></cmp-field>
            <primkey-field>language_id</primkey-field>
            <security-identity>
                <use-caller-identity/>
            </security-identity>
            <query>
                ...
            </query>
        </entity>

<session>
<display-name>Language Facade Stateless Session Bean</display-name>
<ejb-name>LanguageFacade</ejb-name>
<local-home>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocalHome</local-home>
<local>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocal</local>
<ejb-class>de.polonium.ejb.language.sessionbeans.LanguageFacade</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>demo</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>


    <assembly-description>
        <security-role>
            <role-name>mmcms</role-name>
        </security-role>

        <security-role>
            <role-name>demo</role-name>
        </security-role>

        <method-permission>
            <role-name>mmcms</role-name>
            <method>
                <ejb-name>LanguageBean</ejb-name>
                <method-name>*</method-name>
            </method>
        </method-permission>

        <method-permission>
            <role-name>demo</role-name>
            <method>
                <ejb-name>LanguageFacade</ejb-name>
                <method-name>*</method-name>
            </method>
        </method-permission>

        <container-transaction>
            <method>
                <ejb-name>LanguageBean</ejb-name>
                <method-name>*</method-name>
            </method>

            <method>
                <ejb-name>LanguageFacade</ejb-name>
                <method-name>*</method-name>
            </method>
            <trans-attribute>Required</trans-attribute>
        </container-transaction>
    </assembly-description>
</ejb-jar>

My client is calling LanguageFacade which is run as 'demo' (only for testing). LanguageFacade implements getAllLanguages() as:

    public List getAllLanguages() {
        logger.debug("getAllLanguages() entered");

try {
ServiceLocator serviceLocator = ServiceLocator.getInstance();
LanguageLocalHome languageHome = (LanguageLocalHome) serviceLocator.getLocalHome(JNDINamesLanguage.LANGUAGE_EJB);
Collection languageCollection = languageHome.findAll();


            if (languageCollection != null) {
                ArrayList languages = new ArrayList();

                Iterator iterator = languageCollection.iterator();
                while (iterator.hasNext()) {
                    LanguageLocal language = (LanguageLocal) iterator.next();
                    languages.add(language.getMetaData());
                }

                return languages;
            }
            else {
                logger.warn("getAllLanguages() language table is empty");
                return null;
            }
        }
        catch (ServiceLocatorException sle) {
            logger.fatal("getAllLanguages() failed", sle);
        }
        catch (FinderException fe) {
            logger.fatal("getAllLanguages() failed", fe);
        }

        return null;
    }

I get than all entries from Language Entity Bean. But why? Using Language Entity Bean is allowed only as 'mmcms' role. And caller role is 'demo'.


Best Regards, Rafal



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to