• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

@RolesAllowed not affecting calls to my EJB3 session bean method?

 
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm going through the book: EJB3 in Action and wanted to try the declarative security on one of the methods in a stateful session bean.
I added the following annotation in front of my bean method:

@RolesAllowed("ADMIN")

but I'm still able to call the method from my web-tier client (servlet) even though I'm not authenticated (and so the caller principal is the anonymous user).

I added calls to the method which performed a context.isCallerInRole("ADMIN"), which returned false, so the security system seems to know I don't participate in the ADMIN role.

I know there's still more which needs to be done to implement security for my application (such as mapping users/groups to application roles, etc.), but shouldn't the annotation require that the current principal (anonymous) participate in the "ADMIN" role, just as the programmatic logic seems to do?

Thanks,
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just in case others are having a similar problem, I thought I would post what I found.

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.

I decided that I wanted to use a DatabaseServerLoginModule, so I configured JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".

Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:



Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.

Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.

Thanks,
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.


You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.


@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.


 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:

Mark E Hansen wrote:

It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.


You are right, the (application server specific) @SecurityDomain or security-domain in xml is required to enable security checks.

I see. And if I want to specify the security domain for the entire application (rather than setting it on a per bean class basis), I can set it in the ejb-jar META-INF/jboss.xml file, using the <security-domain> setting.

Jaikiran Pai wrote:
I found that I needed to add the following annotation to the bean class:

Mark E Hansen wrote:


Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.


@org.jboss.security.annotation.SecurityDomain was for AS-4.x. That annotation has been moved to @org.jboss.ejb3.annotation.SecurityDomain in AS-5.x and later.



Ahh, thanks for that. I've added that little tidbit to my notes

Thanks again,
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic