@RolesAllowed not affecting calls to my EJB3 session bean method?

Dec 28, 2009 12:20:06

I'm going through the book: EJB3 in Action and wanted to try the declarative security on one of the methods in a stateful session bean.
I added the following annotation in front of my bean method:

@RolesAllowed("ADMIN")

but I'm still able to call the method from my web-tier client (servlet) even though I'm not authenticated (and so the caller principal is the anonymous user).

I added calls to the method which performed a context.isCallerInRole("ADMIN"), which returned false, so the security system seems to know I don't participate in the ADMIN role.

I know there's still more which needs to be done to implement security for my application (such as mapping users/groups to application roles, etc.), but shouldn't the annotation require that the current principal (anonymous) participate in the "ADMIN" role, just as the programmatic logic seems to do?

Thanks,

Dec 31, 2009 12:31:42

Just in case others are having a similar problem, I thought I would post what I found.

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

I decided that I wanted to use a DatabaseServerLoginModule, so I configured JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".

Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:

Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.

Thanks,

Dec 31, 2009 22:09:52

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:
@org.jboss.ejb3.annotation.SecurityDomain("database-domain")

Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.

Jan 01, 2010 00:38:20

Jaikiran Pai wrote:

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.

I see. And if I want to specify the security domain for the entire application (rather than setting it on a per bean class basis), I can set it in the ejb-jar META-INF/jboss.xml file, using the <security-domain> setting.

Jaikiran Pai wrote:
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:
@org.jboss.ejb3.annotation.SecurityDomain("database-domain")

Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.

Ahh, thanks for that. I've added that little tidbit to my notes

Thanks again,

Hey, I'm supposed to be the guide! Wait up! No fair! You have the tiny ad!

a bit of art, as a gift, the permaculture playing cards

https://gardener-gift.com