Hello,
After many time spent in trying to implement a demo J2EE application with
security, I discovered a bug in the mapping between role and user/group
process.
My demo app is composed of 2 HTML pages (index.html/login.html), 1 servlet
and 1 session EJB. Only one role (adsoft) is used and defined in the
deployment descriptors files (ejb-jar.xml & web.xml). The index.html file is
declared as the <welcome-file> and its access is not restricted. Any
user/browser can request this page. The index.html contains an URL which
points to the servlet for which the access is restricted to the role
(adsoft). This restriction works well since the user is automatically
redirected to the login.html page for authentification.
The problem appears when the servlet invokes a method of my session EJB. If,
in orion-application.xml, the mapping between role and user/group is made as
following, the access to the EJB method is impossible :
<security-role-mapping name="adsoft">
<group name="users" />
</security-role-mapping>
or
<security-role-mapping name="adsoft">
<user name="denisj" />
</security-role-mapping>
Only this mapping will work correctly :
<security-role-mapping name="adsoft">
<group name="adsoft" />
</security-role-mapping>
with this principals.xml in ./config
<?xml version="1.0"?>
<!DOCTYPE principals PUBLIC "//Evermind - Orion Principals//"
"http://www.orionserver.com/dtds/principals.dtd">
<principals>
<groups>
<group name="adsoft">
<description>Adenia Software users</description>
<permission name="rmi:login" />
<permission name="com.evermind.server.rmi.RMIPermission" />
</group>
<group name="users">
<description>users</description>
<permission name="rmi:login" />
<permission name="com.evermind.server.rmi.RMIPermission" />
</group>
<group name="guests">
<description>guests</description>
</group>
<group name="administrators">
<description>administrators</description>
<permission name="administration" />
<permission
name="com.evermind.server.AdministrationPermission" />
</group>
</groups>
<users>
<user username="user" password="456" deactivated="false">
<description>The default user</description>
<group-membership group="users" />
<group-membership group="guests" />
</user>
<user username="anonymous" password="">
<description>The default guest/anonyomous user</description>
<group-membership group="guests" />
</user>
<user username="denisj" password="6412">
<group-membership group="adsoft" />
</user>
</users>
</principals>
This disfunction appears only with the EJB session. If the servlet works
alone without access to the EJB, all the mappings above enumerated work
fine.
I've already submitted it to bugzilla (bug id 55).
Don't hesitate to contact me for further info.
Denis Jaccard ([EMAIL PROTECTED])
Java / XML Trainer & Consultant
Adenia Software S�rl
Puits-Godet 6a
2000 Neuch�tel
T�l. : +41 (0)32 724 96 57
Fax : +41 (0)32 724 96 59
Web : http://www.adenia.com
web-security.zip
