Hi all,
I've been looking high and low for an answer for this, and though I've
found a workaround, I'd love to find a nice easy XDoclet tag that'll do
the job :-).
I have the following stateless session bean:
package api.test.security;
import javax.ejb.FinderException;
import javax.ejb.SessionBean;
import javax.naming.NamingException;
/**
* @author mclaughj
*
* @ejb.bean
* type="Stateless"
* name="SecurityTestAPI"
* description="Security test API"
* local-jndi-name="test/SecurityTestAPILocalHome"
* jndi-name="test/SecurityTestAPIHome"
* view-type="both"
*
* @ejb.ejb-ref
* ejb-name="SecurityTestAPI"
* ref-name="ejb/SecurityTestAPI"
* view-type="both"
*
* @ejb.transaction type="RequiresNew"
* @ejb.util generate = "physical"
*/
public abstract class SecurityTestAPIBean implements SessionBean {
/**
* @ejb.create-method view-type = "both"
* @ejb.permission="Active"
*
*/
public void ejbCreate() {
}
/** Get a list of merchandise codes for the PPS system
*
* @returns List of the valid merchandise codes on the system
* @exception NamingException
* @exception FinderException
*
* @ejb.interface-method view-type="both"
* @ejb.permission role-name = "Admin"
*/
public void callByAdmin() throws NamingException, FinderException
{
log.info("SecurityTestAPI::callByAdmin()") ;
}
/** Get a list of merchandise codes for the PPS system
*
* @returns List of the valid merchandise codes on the system
* @exception NamingException
* @exception FinderException
*
* @ejb.interface-method view-type="both"
* @ejb.permission role-name = "Buyer"
*/
public void callByBuyer() throws NamingException, FinderException
{
log.info("SecurityTestAPI::callByBuyer()") ;
}
}
I have defined a user "test" with roles "Active", and "Buyer". The
JBoss security config seems fine, as I can authenticate and JBoss sets
up the correct principle with the correct roles, so I'll skip that.
However, when I process the above with XDoclet, compile and deploy
everything, any attempt to call create() on the session bean fails with
the following:
java.lang.SecurityException: Insufficient method permissions,
principal=test, ejbName=SecurityTestAPI, method=create, interface=HOME,
requiredRoles=[], principalRoles=[Active, Buyer]
I tried adding a class level tag
* @ejb.permission role-name="Active"
And this allowed the home interface to be created, but also allows
"test" to call both callByAdmin(), and callByBuyer() whereas the desired
situation is only that callByBuyer() should be callable with the given
permissions.
The workaround is that I can get the desired results by putting the
following in ${merge}/ejb-method-permissions.ent:
<method-permission >
<description><![CDATA[]]></description>
<role-name>Active</role-name>
<method >
<description><![CDATA[create permissions for PPS
system]]></description>
<ejb-name>SecurityTestAPI</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
<method-params>
</method-params>
</method>
</method-permission>
The bean can be created, callByAdmin() fails, and callByBuyer()
succeeds.
My question is, is there any way to achieve the same results using only
markup, as this would be far more preferable than having to maintain a
separate merge file with entries for every session bean?
Regards,
John
-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
_______________________________________________
xdoclet-user mailing list
xdoclet-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xdoclet-user
