This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds and have James Denton on-line!
See this thread for details.
Win a copy of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

@RolesAllowed not affecting calls to my EJB3 session bean method?  RSS feed

 
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm going through the book: EJB3 in Action and wanted to try the declarative security on one of the methods in a stateful session bean.
I added the following annotation in front of my bean method:

@RolesAllowed("ADMIN")

but I'm still able to call the method from my web-tier client (servlet) even though I'm not authenticated (and so the caller principal is the anonymous user).

I added calls to the method which performed a context.isCallerInRole("ADMIN"), which returned false, so the security system seems to know I don't participate in the ADMIN role.

I know there's still more which needs to be done to implement security for my application (such as mapping users/groups to application roles, etc.), but shouldn't the annotation require that the current principal (anonymous) participate in the "ADMIN" role, just as the programmatic logic seems to do?

Thanks,
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just in case others are having a similar problem, I thought I would post what I found.

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

I decided that I wanted to use a DatabaseServerLoginModule, so I configured JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".

Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:



Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.

Thanks,
 
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.


You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.


@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.


You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.

I see. And if I want to specify the security domain for the entire application (rather than setting it on a per bean class basis), I can set it in the ejb-jar META-INF/jboss.xml file, using the <security-domain> setting.

Jaikiran Pai wrote:
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.


@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.



Ahh, thanks for that. I've added that little tidbit to my notes

Thanks again,
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!