I have my web-app set up for basic authentication and that works well.
<security-constraint>
<web-resource-collection>
<web-resource-name>EJB</web-resource-name>
<url-pattern>/ejbtest.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>
I can now create a new user (smith) who is mapped to the administrators
group in principals.xml.
<user username="smith" password="pwd">
<description>Dave</description>
<group-membership group="administrators" />
</user>
BASIC authentication is used for a role called administrator in web.xml, and
this is mapped to the groups as follows in orion-application.xml:
<security-role-mapping name="administrator" impliesAll="false">
<group name="administrators" />
</security-role-mapping>
All fine, so now only members of the administrators group can log in. Fine.
However when I call my ejb I still get
com.evermind.server.rmi.OrionRemoteException: smith is not allowed to call
the Table.findByPrimaryKey(...) method, check your security settings.
despite the fact that the ejb-jar.xml gives method permissions on everything
to a security-role called administrator, as used in web.xml:
<assembly-descriptor>
<security-role>
<description>Administrators</description>
<role-name>administrator</role-name>
</security-role>
.
.
.
<method-permission>
<role-name>administrator</role-name>
<method>
<ejb-name>TableManager</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>Table</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>CashDeskSequence</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>MemberManager</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>Member</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>CashDeskControl</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
.
.
.
Where am I going wrong.
Dave Smith
Senior Team Leader
Aristocrat Technologies Australia Pty Ltd
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: Nick Newman [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 26 July 2000 5:59
To: Dave Smith
Subject: Re: Principles sanity check. Please help - I'm going mad!
Hi Dave,
I think that the basic problem is that "guest" is the default name Orion
uses for an unauthenticated user - and "guest" is not in any groups or
security roles.
To answer your first question. To authenticate as anybody you must apply
security to a jsp page or a servlet. When you ask orion to serve the
corresponding URL it will ask you to supply a username/password.
Here's an example from one of my own web-apps (the web.xml file)
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Developer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Developer</role-name>
</security-role>
So when I ask for any *.jsp page in this web-app I get prompted.
If I supply a correct username/password combination (as defined by the
config/principles.xml plus the principles.xml for this particular
application) then Orion knows who I am. It will then check whether I am in
the required security role, or whether I am in a group that is in the
required security role (Developer, in the example). If I am, then it will
grant access to the original URL.
I hope that's enough to get you moving!
Nick
At 04:14 PM 7/25/00 +1000, you wrote:
>Could somebody have a quick look at what I am doing and tell me if I am
>going even vaguely in the right direction.
>
>My problem is that as soon as I put security-roles in my ejb-jar.xml I am
>unable to call the ejbs as I get the exception:
>
>com.evermind.server.rmi.OrionRemoteException: guest is not allowed to call
>the Table.findByPrimaryKey(...) method, check your security settings.
>
>How do I connect as a user other than guest? OR
>How do I grant permissions to guest?
>
>I have an ejb-jar.xml with some security info in it:
>
> <assembly-descriptor>
> <security-role>
> <description>
> Aministrators
> </description>
> <role-name>administrator</role-name>
> </security-role>
> <security-role>
> <description>
> All users
> </description>
> <role-name>everyone</role-name>
> </security-role>
> <security-role>
> <description>
> Guests
> </description>
> <role-name>guest</role-name>
> </security-role>
>
> ... method permissions here (everyone has everything at the
>moment)
>
>I now need to map those to the roles in principals.xml, so in my
>orion-application.xml I have:
>
> <security-role-mapping name="everyone" impliesAll="true">
> <group name="guests" />
> <group name="users" />
> <group name="administrators" />
> </security-role-mapping>
> <security-role-mapping name="administrator" impliesAll="false">
> <group name="guests" />
> <group name="users" />
> <group name="administrators" />
> </security-role-mapping>
> <security-role-mapping name="guest" impliesAll="false">
> <group name="guests" />
> <group name="users" />
> <group name="administrators" />
> </security-role-mapping>
> <principals path="d:\orion\config\principals.xml" />
>
>where guests,users and administrators are groups in principles.xml.
>
>Is this the correct thing to do.
>
>
>Dave Smith
>Senior Team Leader
>Aristocrat Technologies Australia Pty Ltd
>
>mailto:[EMAIL PROTECTED]
>
