Hi,
Running eclipse helios, tomcat 5.5, jdk 6
I've created a JAX-WS service, which uses HTTP basic auth and works fine. Further I've used annotations in particular for 2 methods, one accessible by normal users, the other only be admin
E.g. @RolesAllowed(value = {"adminUser"})
public String updates1(String s)
{}
Now I would like to setup the method-permission as described here:
http://docs.sun.com/app/docs/doc/819-3669/bnbyv?l=en&a=view
In particular I want to setup a method-permission for basicUser role so that it cannot access
updates1 method defined above. So I would assume it looks like this:?
<method-permission>
<role-name>basicUser</role-name>
<method>
<ejb-name>wsServiceName</ejb-name> <!-- from web.xml servlet-name -->
<method-intf>Remote</method-intf>
<method-name>offerlist</method-name> <!-- only this method should be accessible, not updates1 listed above-->
</method>
</method-permission>
Of course from what I've read this should be in a assembly descriptor but I cannot get this to work. Seems that this should all be done in the ejb-jar.xml file, is this correct?
This is a POJO object. I'm not using EJB so what do I put in the ejb.jar.xml for <enterprise-beans>?
For the life of me cannot figure it out and I do not want to call wsContext.isUserInRole in the method
updates1. To me that defeats the purpose of this declarative security.
Can you help?
thanks