• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

method permission - unchecked and security

 
Kelly Wood
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if method permission specifies both uncheck and security role, which will take precedence?

e.g.

<method-permission>
<role-name>myRole</role-name>
<method>
<ejb-name>myEjb</ejb-name>
<method-name>myMethod</method-name>
</method>
</method-permission>

<method-permission>
<unchecked/>
<method>
<ejb-name>myEjb</ejb-name>
<method-name>myMethod</method-name>
</method>
</method-permission>

According to p593 q2, this statement is false: "when a method permission relation specifies both <unchecked> and a security role, the container will use the security role", then what is correct behaviour? I looked through the EJB spec but can not find the answer there. Does anyone know?
 
Thiru Thangavelu
Ranch Hand
Posts: 219
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I read in HFE book that Unchecked will take precedence.
 
Kelly Wood
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks!
 
Sankar Subbiramaniam
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is mentioned in spec (page 443).
"If the method permission relation specifies both the unchecked element for a given method and one or more security roles, the method should not be checked for authorization"
 
B.Sathish
Ranch Hand
Posts: 372
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Right, but I have a question for you.

If a method comes under both unchecked and exclude-list, what will happen? Who wins ?
 
Sankar Subbiramaniam
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
According to EJb specs page 443,"The Application Assembler can use the exclude-list element to indicate the set of methods that should not be called. The Deployer should configure the enterprise bean�s security such that no access is permitted to any method contained in the exclude-list.
If a given method is specified both in the exclude-list element and in the method permission relation, the Deployer should configure the enterprise bean�s security such that no access is permitted to the method
".

The actual behaviour is not specified clearly. I guess the behaviour would be vendpr specific.
 
B.Sathish
Ranch Hand
Posts: 372
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think so. You need to be pessimistic here

If a given method is specified both in the exclude-list element and in the method permission relation, the Deployer should configure the enterprise bean�s security such that no access is permitted to the method


isn't that clear? unchecked comes inside method-permission. So the <exclude-list> should win, right?

In web.xml, if you have both an empty <auth-constraint/> and an <auth-constraint> with <role-name>*</role-name>, which would win? The empty one right?

I feel it needs to work the same way here
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic