Hi Jeff,
I intend to write a document about Orions security model. If it's okay with I
will contact you sometime soon. I will attempt to address the issues you
presented too.
Ernst
--
http://www.jollem.com/orion-primer/
http://www.jollem.com/orion-cmp-primer/
Jeff Schnitzer wrote:
> Hi folks.
>
> I'm struggling with Orion's security model in an attempt to get my first
> entity bean working. It seems that no matter what configuration setting
> I tweak, I cannot successfully call a method on my bean's home
> interface. I always receive the exception:
>
> com.evermind.server.rmi.OrionRemoteException: guest is not allowed to
> call this EJB method, check your security settings (method-permission in
> ejb-jar.xml and security-role-mapping in orion-application.xml).
>
> The funny thing is that this is just about as vanilla a case as you can
> imagine. I'm calling the bean from a servlet, and I desire no
> authentication whatsoever. I want merely to anonymously call a method
> on the home interface. Here are a couple questions to which the answers
> might provide me much enlightenment:
>
> * Who is this "guest" person? In the default master principals.xml,
> there is a user called "anonymous" whose description implies that this
> will be the user automatically assigned to any unauthenticated user.
> Should that be "guest" so that I can assign a group (and thus a
> security-role-mapping) to the unauthenticated user? Is the name
> special, or is there some other flag that I can't see? I've tried
> adding a user with the name "guest", etc. Nothing I have tried works.
>
> * What is the relationship between the master principals.xml in the
> config directory and the principals.xml in the application deployment
> directory? I know the deployment orion-application.xml file points to
> the deployment principals.xml, but does this override or supplement the
> master config? Does it make sense to change the <principals> in the
> orion-application.xml to point to the master config, or is that
> redundant?
>
> * What does the <namespace-access> block do in the orion-application.xml
> file?
>
> * Do I have the basic concept right? 1) a user derives their name from
> authentication, or if there is no authentication, they are assigned some
> name (presumably "guest") by default. 2) the "user" belongs to one or
> more groups, defined by one (or both?) of the principals.xml files. 3)
> the groups are mapped to security roles in the deployment
> orion-application.xml file using <security-role-mapping> tags. 4) the
> security roles are mapped to actual bean method permissions in the
> bean's deployment descriptor.
>
> Somewhere this chain is broken for me, and I'm at a loss to figure out
> where. If it matters, the bean is an EJB 2.0 entity bean. The
> deployment descriptor defines a security role "users" which has
> wildcard(*) permission to the bean. The ear file's application.xml also
> defines this role. The default deployment orion-application.xml has the
> <security-role-mapping> of role "users" to group "users". The master
> principals.xml has both "anonymous" and "guest" as users which belong to
> the "users" group.
>
> Both the atm and news demos work fine. I presume it is because they
> explicitly authenticate somewhere in code, but I haven't been able to
> figure out how or why.
>
> Help? :-)
>
> Thanks,
> Jeff Schnitzer
> [EMAIL PROTECTED]
>
>
