We have had similar problems, and I have reported them to orion (but they
said they couldn't reproduce the problem). Here is what I found.
If you have an EJB method foo(), and you restrict its access to a role
MYROLE, then a user who, according to the XML files, should have access to
foo() is denied access.
If, however (and quite contrary to specs) you specify a GROUP name (e.g.
MYGROUP) instead of a ROLE name (e.g. MYROLE), then access is granted
(assuming your user is in that group).
I would be very interested to know if you can confirm this.
Nick
At 03:52 PM 5/8/01 +0200, you wrote:
>Following situation:
>
>- I restricted method permission of method "foo" to role "bar"
>- if I do:
>
> roleManager.addToRole(ctx.getCallerPrincipal(),"bar");
> foo();
>
> everything works just fine.
>
>- if I create a (temporary) user (e.g. user123), add him to role "bar" then
> log him in with the RoleManager and finally do a foo(), I get as
> security-exception. (see below).
>
>Why?
>Are there some default-roles that I have to add a newly created user to?
>Are there any further group-permissions I've got to set for group "bar"?
>(I took the permissions of group "users").
>
>
>For completeness:
>- I have also created a group named "bar" (in principal.xml) and specified a
>security-role-mapping (in orion-ejb.xml).
>- Furthermore I added a security-role definition for "bar" in both the
>application.xml and the ejb-jar.xml
>- I have also tried the "<default-ejb-caller-role>" role and then
> changed the default-method-access to role "bar".
>- I also tripple checked that ctx.isCallerInRole("bar") returns true;
> just the line before I call foo().
>
>
>The exception:
>
> [java] javax.transaction.TransactionRolledbackException:
>com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to call
>this EJB method, check your security settings (method-permission in
>ejb-jar.xml and security-role-mapping in orion-application.xml).
> [java] at com.evermind.server.rmi.bb.invokeMethod(JAX)
> [java] at com.evermind.server.rmi.a2.invoke(JAX)
> [java] at com.evermind.server.rmi.a3.invoke(JAX)
>
>Ideas, or even solutions?
>
>Armin Michel
