Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

method permission - unchecked and security

 
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
if method permission specifies both uncheck and security role, which will take precedence?

e.g.

<method-permission>
<role-name>myRole</role-name>
<method>
<ejb-name>myEjb</ejb-name>
<method-name>myMethod</method-name>
</method>
</method-permission>

<method-permission>
<unchecked/>
<method>
<ejb-name>myEjb</ejb-name>
<method-name>myMethod</method-name>
</method>
</method-permission>

According to p593 q2, this statement is false: "when a method permission relation specifies both <unchecked> and a security role, the container will use the security role", then what is correct behaviour? I looked through the EJB spec but can not find the answer there. Does anyone know?
 
Ranch Hand
Posts: 219
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I read in HFE book that Unchecked will take precedence.
 
Kelly Wood
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks!
 
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is mentioned in spec (page 443).
"If the method permission relation specifies both the unchecked element for a given method and one or more security roles, the method should not be checked for authorization"
 
Ranch Hand
Posts: 372
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Right, but I have a question for you.

If a method comes under both unchecked and exclude-list, what will happen? Who wins ?
 
Sankar Subbiramaniam
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
According to EJb specs page 443,"The Application Assembler can use the exclude-list element to indicate the set of methods that should not be called. The Deployer should configure the enterprise bean�s security such that no access is permitted to any method contained in the exclude-list.
If a given method is specified both in the exclude-list element and in the method permission relation, the Deployer should configure the enterprise bean�s security such that no access is permitted to the method
".

The actual behaviour is not specified clearly. I guess the behaviour would be vendpr specific.
 
B.Sathish
Ranch Hand
Posts: 372
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think so. You need to be pessimistic here

If a given method is specified both in the exclude-list element and in the method permission relation, the Deployer should configure the enterprise bean�s security such that no access is permitted to the method



isn't that clear? unchecked comes inside method-permission. So the <exclude-list> should win, right?

In web.xml, if you have both an empty <auth-constraint/> and an <auth-constraint> with <role-name>*</role-name>, which would win? The empty one right?

I feel it needs to work the same way here
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic