• Post Reply Bookmark Topic Watch Topic
  • New Topic

@RolesAllowed not affecting calls to my EJB3 session bean method?

 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm going through the book: EJB3 in Action and wanted to try the declarative security on one of the methods in a stateful session bean.
I added the following annotation in front of my bean method:

@RolesAllowed("ADMIN")

but I'm still able to call the method from my web-tier client (servlet) even though I'm not authenticated (and so the caller principal is the anonymous user).

I added calls to the method which performed a context.isCallerInRole("ADMIN"), which returned false, so the security system seems to know I don't participate in the ADMIN role.

I know there's still more which needs to be done to implement security for my application (such as mapping users/groups to application roles, etc.), but shouldn't the annotation require that the current principal (anonymous) participate in the "ADMIN" role, just as the programmatic logic seems to do?

Thanks,
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just in case others are having a similar problem, I thought I would post what I found.

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

I decided that I wanted to use a DatabaseServerLoginModule, so I configured JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".

Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:



Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.

Thanks,
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jaikiran Pai wrote:
Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I see. And if I want to specify the security domain for the entire application (rather than setting it on a per bean class basis), I can set it in the ejb-jar META-INF/jboss.xml file, using the <security-domain> setting.
Jaikiran Pai wrote:
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


Ahh, thanks for that. I've added that little tidbit to my notes

Thanks again,
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!