• Post Reply Bookmark Topic Watch Topic
  • New Topic

Where do I put method-permission for allowed method calls  RSS feed

 
Jonah Black
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Running eclipse helios, tomcat 5.5, jdk 6

I've created a JAX-WS service, which uses HTTP basic auth and works fine. Further I've used annotations in particular for 2 methods, one accessible by normal users, the other only be admin

E.g. @RolesAllowed(value = {"adminUser"})
public String updates1(String s)
{}


Now I would like to setup the method-permission as described here: http://docs.sun.com/app/docs/doc/819-3669/bnbyv?l=en&a=view

In particular I want to setup a method-permission for basicUser role so that it cannot access updates1 method defined above. So I would assume it looks like this:?

<method-permission>
<role-name>basicUser</role-name>
<method>
<ejb-name>wsServiceName</ejb-name> <!-- from web.xml servlet-name -->
<method-intf>Remote</method-intf>
<method-name>offerlist</method-name> <!-- only this method should be accessible, not updates1 listed above-->
</method>
</method-permission>

Of course from what I've read this should be in a assembly descriptor but I cannot get this to work. Seems that this should all be done in the ejb-jar.xml file, is this correct?

This is a POJO object. I'm not using EJB so what do I put in the ejb.jar.xml for <enterprise-beans>?

For the life of me cannot figure it out and I do not want to call wsContext.isUserInRole in the method updates1. To me that defeats the purpose of this declarative security.

Can you help?

thanks



 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
Method-grained security can only be obtained when using an EJB as endpoint implementation and not with POJOs (also known as servlet-based endpoint implementation classes).
Best wishes!
 
Naren Chivukula
Ranch Hand
Posts: 577
Java Notepad Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jonah,
I do not want to call wsContext.isUserInRole in the method updates1. To me that defeats the purpose of this declarative security.

If you neither want programmatic security nor using ejbs, then the only other way is to segregate your methods into different Servelts and apply declarative security in web.xml on individual Servlets. This is not a good approach though unless you really don't want to use one of the other two options.
 
Gupta Tarun
Greenhorn
Posts: 22
Hibernate MyEclipse IDE Postgres Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

We are implementing Spring Security based declarative permission checks in our Axis2 web services.. which looks something like this :



Here are some references :
http://burtbeckwith.github.com/grails-spring-security-acl/docs/manual/guide/2.%20Usage.html
http://blog.springsource.com/2009/06/03/spring-security-300m1-released/

Will be happy to help in case you need further information.

Regards
Tarun
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!