I filed GERONIMO-4587 for this. Strangely it does not seem to be caused only by vararg arrays, normal arrays also fail for me.
I've not had a chance to test with XML security configuration, nor on 2.1. But it should be easy to write a test case for this. Many thanks for your help! Trygve On Fri, Mar 13, 2009 at 5:40 PM, David Jencks <[email protected]>wrote: > I think this is most likely a bug. Could you please open a jira about > this? > > If you are inspired to experiment further.... I wonder if > > -- changing the method signature to the old-fashioned getX(String y, int[] > flags) works > -- using an xml security constraint (with or without the method args > specified) works > > Many thanks for finding this! > david jencks > > > On Mar 13, 2009, at 5:59 AM, Trygve Hardersen wrote: > > Hi >> >> I'm developing an application using Geronimo 2.2-SNAPSHOT. The whole >> system is rather complex but I'll try to explain only what's needed in this >> context. >> >> I have a stateless session bean called SSB, with a method called getX: >> >> SSB#getX(java.lang.String) >> >> Our security model has 5 roles; admin, anonymous, customer, partner and >> system. Users can only be in one role. SSB is accessible for all roles, but >> the getX does not allow anonymous access. So I have these annotations: >> >> @DeclareRoles({ >> Constants.ROLE_ADMIN, >> Constants.ROLE_ANONYMOUS, >> Constants.ROLE_CUSTOMER, >> Constants.ROLE_PARTNER, >> Constants.ROLE_SYSTEM}) >> public class SSB .... >> >> @RolesAllowed({ >> Constants.ROLE_ADMIN, >> Constants.ROLE_CUSTOMER, >> Constants.ROLE_PARTNER, >> Constants.ROLE_SYSTEM}) >> public X getX(String y) >> >> In my testsuite I have a simple testcase to verify that access by users in >> the anonymous role (unauthenticated web users) is not permitted for the getX >> method: >> >> SSB anonymous_service = LOG_IN_AS_ANONYMOUS_USER.... >> X obj = null; >> EJBAccessException eae = null; >> try{ >> obj = anonymous_service.getX("test"); >> }catch (EJBAccessException e) { >> eae = e; >> } >> Assert.assertNull(obj); >> Assert.assertNotNull(eae); >> Assert.assertEquals(eae.getMessage(), "Unauthorized Access by Principal >> Denied"); >> >> I've not had any problems with this test for months. However yesterday I >> decided to change the method signature of getX to support an optional list >> of int flags than control the object initialization (which related records >> to get from the DB): >> >> public X getX(String y, int... flags) >> >> After this the test shown above fails. I get an object back and no >> exception. The security system still works; I can check the user manually >> using the SessionContext resource. But the container authorization does not >> trigger. >> >> This seems like a bug in the Geronimo security system to me. I'm guessing >> that the method is not recognized when using the vararg (int...) signature. >> >> Any idea what to do about this? Currently I work around the issue by >> manually checking the role name using >> javax.ejb.EJBContext#isCallerInRole(java.lang.String). >> >> Thanks for your help! >> >> Trygve >> > >
