Re: security problem

Fri, 13 Mar 2009 09:40:50 -0700

I think this is most likely a bug. Could you please open a jira about this? 

If you are inspired to experiment further.... I wonder if
-- changing the method signature to the old-fashioned getX(String y, int[] flags) works -- using an xml security constraint (with or without the method args specified) works 

Many thanks for finding this!
david jencks

On Mar 13, 2009, at 5:59 AM, Trygve Hardersen wrote:


Hi
I'm developing an application using Geronimo 2.2-SNAPSHOT. The whole system is rather complex but I'll try to explain only what's needed in this context. 

I have a stateless session bean called SSB, with a method called getX:

SSB#getX(java.lang.String)
Our security model has 5 roles; admin, anonymous, customer, partner and system. Users can only be in one role. SSB is accessible for all roles, but the getX does not allow anonymous access. So I have these annotations: 

@DeclareRoles({
    Constants.ROLE_ADMIN,
    Constants.ROLE_ANONYMOUS,
    Constants.ROLE_CUSTOMER,
    Constants.ROLE_PARTNER,
    Constants.ROLE_SYSTEM})
public class SSB ....

@RolesAllowed({
    Constants.ROLE_ADMIN,
    Constants.ROLE_CUSTOMER,
    Constants.ROLE_PARTNER,
    Constants.ROLE_SYSTEM})
public X getX(String y)
In my testsuite I have a simple testcase to verify that access by users in the anonymous role (unauthenticated web users) is not permitted for the getX method: 

SSB anonymous_service = LOG_IN_AS_ANONYMOUS_USER....
X obj = null;
EJBAccessException eae = null;
try{
        obj = anonymous_service.getX("test");
}catch (EJBAccessException e) {
          eae = e;
}
Assert.assertNull(obj);
Assert.assertNotNull(eae);
Assert.assertEquals(eae.getMessage(), "Unauthorized Access by Principal Denied");
I've not had any problems with this test for months. However yesterday I decided to change the method signature of getX to support an optional list of int flags than control the object initialization (which related records to get from the DB): 

public X getX(String y, int... flags)
After this the test shown above fails. I get an object back and no exception. The security system still works; I can check the user manually using the SessionContext resource. But the container authorization does not trigger.
This seems like a bug in the Geronimo security system to me. I'm guessing that the method is not recognized when using the vararg (int...) signature.
Any idea what to do about this? Currently I work around the issue by manually checking the role name using javax.ejb.EJBContext#isCallerInRole(java.lang.String). 

Thanks for your help!

Trygve

Reply via email to