I'm looking forward to docs and examples myself.
One thing that I've noticed, after copious experimentation with the
DataSourceUserManager, is that the group <=> mapping is somewhat deficient.
In other words, I have my users and groups tables set up, and I've made
suitable mods and adjustments to principals.xml, orion-application.xml,
ejb-jar.xml, and orion-ejb-jar.xml as required (or suggested). In some cases
I'm flailing about, frankly.
In any case, a login with username and password is obviously finding the
group, and mapping the group to role, because when I check the role after
login it's OK. I don't have to hardcode it, which is vital.
However, and I've tried everything, I don't believe this knowledge is being
passed on to the EJB container. No role, however declared in the various
J2EE/Orion descriptors, is able to access *any* method in an EJB that has
method-permissions.
So my assessment on the user/role managers is that it is reasonably useful:
one can assign roles based on login, and test for that as required. But
method-level security in EJBs does not work, at least not in a documented,
demonstrated and reliable manner.
The odd thing is, is that this may not be that much of a big deal. I've been
writing J2EE for pretty much a full year, and I have yet to see a situation
where method-level permissions gain me anything at all. It's literally never
been necessary. It seems to be one of these J2EE things that made ostensible
sense at the time but has little practical value. Just a thought.
The only reason it disturbs me is because it should work and doesn't. :-) If
an example can be supplied - complete with Orion-specific deployment
descriptors - I'll be overjoyed.
Arved Sandstrom
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lawrence Fry
Sent: Monday, September 18, 2000 6:36 PM
To: Orion-Interest
Subject: RE: User/Group manager guide
Guilherme,
Here Here! I'm glad somebody said it.
But without documentation, you should look at the archives to this list,
because many of these problems have already been worked out.
For example...it isn't said anywhere in the documentation, but the
EJBUserManager is the most useful device for ecommerce. With this, you can
automatically login users and create users for your website...without one
call to the EJBUserManager stuff. In order to use this, you will have to add
the following to your orion-application.xml file:
<user-manager class="com.evermind.ejb.EJBUserManager">
<property name="home" value="com.evermind.ejb.EJBUser" />
<property name="defaultGroups" value="users" />
</user-manager>
I found this tidbit in the mail archive. Then you can use the role manager
to allow users access to ejb resources, and the role manager automatically
uses the your databank with cmp to create users....create a user like this:
try
{
RoleManager roleManager = (RoleManager)new
InitialContext().looku("java:comp/RoleManager");
if(roleManager.getPrincipal(username) != null)
throw new DuplicateAccountException(username)
Principal principal = roleManager.createPrincipal(username, password);
roleManager.addToRole(principal, role);
roleManager.store();
}
catch(NamingException e){}
catch(UserAlreadyExistsException e){}
catch(InstantiationException e){}
catch(IOException e){}
and like magic, a user database is created. Of course, you also have to make
sure your roles are part of your groups.
This is the great secret of orion...great stuff, no documentation! It took
me weeks to figure this out. I wish there was a tutorial on these simple
issues:
How do you login in a client through a database of usernames/passwords?
How do you enroll a client into a database of usernames/passwords?
How do you control access to web resources (ejb's, jsp's, servlets)?
The existing documentation on this is about as clear as mud.
Regards,
Lawrence
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Guilherme
Ceschiatti
Sent: Monday, September 18, 2000 1:58 PM
To: Orion-Interest
Subject: User/Group manager guide
Hi!
I'm almost leaving Orion because the lack of documentation, mainly about how
to
manage User/Groups. As many people have lots of doubts related to it too,
I'm
asking the Orion team or anybody else to write a tutorial about it. I
really
don't want to leave Orion, because I've made good things on it, but I'm
spending a lot of time trying to "decifrate" how to use the Orion API.
Thanks.
Guilherme Ceschiatti
[EMAIL PROTECTED]
