On Tuesday 08 May 2001 17:14, you wrote:
> We have had similar problems, and I have reported them to orion (but they
> said they couldn't reproduce the problem). Here is what I found.
>
> If you have an EJB method foo(), and you restrict its access to a role
> MYROLE, then a user who, according to the XML files, should have access to
> foo() is denied access.
>
> If, however (and quite contrary to specs) you specify a GROUP name (e.g.
> MYGROUP) instead of a ROLE name (e.g. MYROLE), then access is granted
> (assuming your user is in that group).
>
> I would be very interested to know if you can confirm this.
Probably yes. IMHO, Orion forces me to specify a group for every role that I
define. I can only do a addToRole("bar") when I have a group defined that bar
is mapped upon.
Your problem may be closely related to mine, but I think my problem is still
another one.
>
> Nick
>
> At 03:52 PM 5/8/01 +0200, you wrote:
> >Following situation:
> >
> >- I restricted method permission of method "foo" to role "bar"
> >- if I do:
> >
> > roleManager.addToRole(ctx.getCallerPrincipal(),"bar");
> > foo();
> >
> > everything works just fine.
> >
> >- if I create a (temporary) user (e.g. user123), add him to role "bar"
> > then log him in with the RoleManager and finally do a foo(), I get as
> > security-exception. (see below).
> >
> >Why?
> >Are there some default-roles that I have to add a newly created user to?
> >Are there any further group-permissions I've got to set for group "bar"?
> >(I took the permissions of group "users").
> >
> >
> >For completeness:
> >- I have also created a group named "bar" (in principal.xml) and specified
> > a security-role-mapping (in orion-ejb.xml).
> >- Furthermore I added a security-role definition for "bar" in both the
> >application.xml and the ejb-jar.xml
> >- I have also tried the "<default-ejb-caller-role>" role and then
> > changed the default-method-access to role "bar".
> >- I also tripple checked that ctx.isCallerInRole("bar") returns true;
> > just the line before I call foo().
> >
> >
> >The exception:
> >
> > [java] javax.transaction.TransactionRolledbackException:
> >com.evermind.server.rmi.OrionRemoteException: user123 is not allowed to
> > call this EJB method, check your security settings (method-permission in
> > ejb-jar.xml and security-role-mapping in orion-application.xml).
> > [java] at com.evermind.server.rmi.bb.invokeMethod(JAX)
> > [java] at com.evermind.server.rmi.a2.invoke(JAX)
> > [java] at com.evermind.server.rmi.a3.invoke(JAX)
> >
> >Ideas, or even solutions?
> >
> >Armin Michel
