[Logo]
Forums Register Login
@RolesAllowed not affecting calls to my EJB3 session bean method?
I'm going through the book: EJB3 in Action and wanted to try the declarative security on one of the methods in a stateful session bean.
I added the following annotation in front of my bean method:

@RolesAllowed("ADMIN")

but I'm still able to call the method from my web-tier client (servlet) even though I'm not authenticated (and so the caller principal is the anonymous user).

I added calls to the method which performed a context.isCallerInRole("ADMIN"), which returned false, so the security system seems to know I don't participate in the ADMIN role.

I know there's still more which needs to be done to implement security for my application (such as mapping users/groups to application roles, etc.), but shouldn't the annotation require that the current principal (anonymous) participate in the "ADMIN" role, just as the programmatic logic seems to do?

Thanks,
Just in case others are having a similar problem, I thought I would post what I found.

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

I decided that I wanted to use a DatabaseServerLoginModule, so I configured JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".

Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:



Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.

Thanks,
 
Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


 
Jaikiran Pai wrote:
Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I see. And if I want to specify the security domain for the entire application (rather than setting it on a per bean class basis), I can set it in the ejb-jar META-INF/jboss.xml file, using the <security-domain> setting.
Jaikiran Pai wrote:
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


Ahh, thanks for that. I've added that little tidbit to my notes

Thanks again,
Wink, wink, nudge, nudge, say no more ... https://richsoil.com/cards



All times above are in ranch (not your local) time.
The current ranch time is
Nov 23, 2017 13:36:55.