> Hi
>
> I think i have found some major bugs with Orion Security. I have wrote a
> small app to test things out. Can you have a look over things and tell me
> if i am doing something wrong before i submit a bug report. :)
>
>
>
> First Bug:
>
> Orion throws an "OrionRemoteException" when a security exception occurs.
> The EJB1.1 spec says that a "RomoteException" should be thrown.
>
> Second Bug:
>
> The short-cut for declaring a method permission for all methods does not
> seem to work in the context below.
> eg
>
> <method>
> <ejb-name>ejb/MyBean</ejb-name>
> <method-name>*</method-name>
> </method>
>
>
>
> Third Bug:
>
> This is a major bug. I have built my own UserManager, User and Group
> classes. And my security settings follow the following steps.
>
> I have a Stateless Session bean with 7 methods exposed to the client.
> create( )
> methodA( )
> methodB( )
> methodC( )
> methodD( )
> methodE( )
> methodF( )
>
> i have 4 roles
>
> role1
> role2
> role3
> role4
>
> These are the permissions:
>
> role1 can access ALL METHODS
> role2 can access create(), methodA(), methodB() and methodC()
> role3 can access create(), methodD(), methodE() and methodF()
> role4 can access create(), methodA(), methodD() and methodE()
>
> These are the orion groups and mappings to roles
>
> group1 maps to role1
> group2 maps to role2
> group3 maps to role3
> group4 maps to role4
>
> These are the orion users and the mappings to groups
>
> user1 maps to group1
> user2 maps to group2
> user3 maps to group3
> user4 maps to group4
>
> The problem is this.
>
> If i connect to orion from an Java application client as "user1" and call
> all the methods of the session bean then everythings seems to work fine.
>
> 1. Orion uses my custom UserManager to authenticate my user which is fine
> 2. then i try to call create on the session bean home interface
> remember from above
> all roles and so all groups can call create() so
>
> 3. Orion then calls isMemberOf() passing in "group1" . Now user1 is a
> member of group1 so my custom UserManager returns true.
>
> 4. I then call all the other methods. Each time Orion calls isMemberOf()
> passing in "group1" each time.
> 5. Finally all the remote methods are executed ok, as expected.
>
>
> however if i connect to orion using "user2" or any other user. This is
> where problems seem to occur.
>
> 1. Orion uses my custom UserManager to authenticate "user2" which is fine
> 2. then i try to call create on the session bean home interface.
> 3. at which point Orion calls isMemberOf() passing in "group1". "user2" is
> not in group1 so i return false.
>
> However i now expect Orion to call isMemberOf() passing in "group2". But
> this does not happen. Rather Orion does not call this method again and
> throws an OrionRemoteException.
>
> It seems that Orion thinks that only users in "group1" (mapped to role1)
> can call the create() method.
>
> I presum isMemberOf( ) should be called for all groups that can access the
> method being called until one of the groups gets a match or there is no
> more groups left.
>
>
> I have attached my code and config files if they help ...
>
>
> <<Src.zip>>
>
>
>
>
>
>
Src.zip
