Well, what I've tried is your suggestion from a few days ago to do exactly
that. I have a number of roles, and to use one ("agents") as an example, I
have "agents" specified as a group in principals.xml, and also mapped in
orion-application.xml and the relevant orion-ejb-jar.xml, as well as
appearing as the role name in the relevant ejb-jar.xml. That is, my group
names and role names match exactly, everywhere. :-)
I zap the complete app directory in application-deployments before every
run, so there is no legacy stuff. And when I look at the deployed
Orion-specific descriptors they _are_ what I expect.
I should add that when user managers are _not_ in use then I've had no
issues with EJB method-permissions.
I don't doubt that you have stumbled across a configuration that works for
you. In fact I think I had one for about 30 minutes late last week, and then
it went away. I'm not kidding, either. :-)
I'm putting this stuff aside for a bit to see what develops. I'm encouraged
that the Orion team is coming out with docs. I hope they don't just talk
about the role manager, which is robust and also the easiest to use.
Arved
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Nick Newman
Sent: Tuesday, September 19, 2000 12:28 PM
To: Orion-Interest
Subject: RE: User/Group manager guide
Hi Arved,
Can I suggest you try the following. In the ejb-jar.xml file that
specifies the ejb security, specify the GROUP name instead of the ROLE
name. (Even though that's the wrong thing to do.) Then delete the
orion-ejb-jar.xml file (to get rid of the old references to the role name
that are in there). Then redeploy and try again.
If that works, maybe you could throw your weight behind Bugzilla report #55
so we can get it fixed!
Nick
At 10:26 AM 9/19/00 -0300, you wrote:
>I'm looking forward to docs and examples myself.
>
>One thing that I've noticed, after copious experimentation with the
>DataSourceUserManager, is that the group <=> mapping is somewhat deficient.
>In other words, I have my users and groups tables set up, and I've made
>suitable mods and adjustments to principals.xml, orion-application.xml,
>ejb-jar.xml, and orion-ejb-jar.xml as required (or suggested). In some
cases
>I'm flailing about, frankly.
>
>In any case, a login with username and password is obviously finding the
>group, and mapping the group to role, because when I check the role after
>login it's OK. I don't have to hardcode it, which is vital.
>
>However, and I've tried everything, I don't believe this knowledge is being
>passed on to the EJB container. No role, however declared in the various
>J2EE/Orion descriptors, is able to access *any* method in an EJB that has
>method-permissions.
>
>So my assessment on the user/role managers is that it is reasonably useful:
>one can assign roles based on login, and test for that as required. But
>method-level security in EJBs does not work, at least not in a documented,
>demonstrated and reliable manner.
>
>The odd thing is, is that this may not be that much of a big deal. I've
been
>writing J2EE for pretty much a full year, and I have yet to see a situation
>where method-level permissions gain me anything at all. It's literally
never
>been necessary. It seems to be one of these J2EE things that made
ostensible
>sense at the time but has little practical value. Just a thought.
>
>The only reason it disturbs me is because it should work and doesn't. :-)
If
>an example can be supplied - complete with Orion-specific deployment
>descriptors - I'll be overjoyed.
>
>Arved Sandstrom
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Lawrence Fry
>Sent: Monday, September 18, 2000 6:36 PM
>To: Orion-Interest
>Subject: RE: User/Group manager guide
>
>
>Guilherme,
>
>Here Here! I'm glad somebody said it.
>
>But without documentation, you should look at the archives to this list,
>because many of these problems have already been worked out.
>
>For example...it isn't said anywhere in the documentation, but the
>EJBUserManager is the most useful device for ecommerce. With this, you can
>automatically login users and create users for your website...without one
>call to the EJBUserManager stuff. In order to use this, you will have to
add
>the following to your orion-application.xml file:
>
> <user-manager class="com.evermind.ejb.EJBUserManager">
> <property name="home" value="com.evermind.ejb.EJBUser" />
> <property name="defaultGroups" value="users" />
> </user-manager>
>
>I found this tidbit in the mail archive. Then you can use the role manager
>to allow users access to ejb resources, and the role manager automatically
>uses the your databank with cmp to create users....create a user like this:
>
>try
>{
>RoleManager roleManager = (RoleManager)new
>InitialContext().looku("java:comp/RoleManager");
>if(roleManager.getPrincipal(username) != null)
> throw new DuplicateAccountException(username)
>Principal principal = roleManager.createPrincipal(username, password);
>roleManager.addToRole(principal, role);
>roleManager.store();
>}
>catch(NamingException e){}
>catch(UserAlreadyExistsException e){}
>catch(InstantiationException e){}
>catch(IOException e){}
>
>and like magic, a user database is created. Of course, you also have to
make
>sure your roles are part of your groups.
>
>This is the great secret of orion...great stuff, no documentation! It took
>me weeks to figure this out. I wish there was a tutorial on these simple
>issues:
>
>How do you login in a client through a database of usernames/passwords?
>How do you enroll a client into a database of usernames/passwords?
>How do you control access to web resources (ejb's, jsp's, servlets)?
>
>The existing documentation on this is about as clear as mud.
>
>Regards,
>
>Lawrence
>
>
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Guilherme
>Ceschiatti
>Sent: Monday, September 18, 2000 1:58 PM
>To: Orion-Interest
>Subject: User/Group manager guide
>
>
>Hi!
>
>I'm almost leaving Orion because the lack of documentation, mainly about
how
>to
>manage User/Groups. As many people have lots of doubts related to it too,
>I'm
>asking the Orion team or anybody else to write a tutorial about it. I
>really
>don't want to leave Orion, because I've made good things on it, but I'm
>spending a lot of time trying to "decifrate" how to use the Orion API.
>
>Thanks.
>Guilherme Ceschiatti
>[EMAIL PROTECTED]
>
>
>
