• Post Reply Bookmark Topic Watch Topic
  • New Topic

Problems with Security API of JEE6 using JBoss 7.1.1

Matthias Grafen
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everybody,

I am working with ebj 3.1 and I have been testing the security API from JEE.

I wanted to show the effect of some annotations like @DeclareRoles, @PermitAll, @DenyAll, @RollesAllowed and the method isCallerInRole(String role) from javax.ejb.SessionContext.

Dealing with this subject I read the following articles:
Sun MicrosystemsJSR 318: Enterprise JavaBeansTM,Version 3.1EJB Core Contracts and RequirementsNovember, Chapter 17: Security Management“,
The Java EE 6 Tutorial, Chapter 39 ‚Introduction to Security in the Java EE Platform‘ and Chapter 41 ‚Getting Started Securing Enterprise Applications‘“,
Java™ Platform, Enterprise Edition (Java EE) Specification, v6“,
JBoss 7.1 Admin Guide, Security Realms

I tried a simple exercise with a client calling a session bean via its remote interface and did not get the results as expected.

Here are the details:
I am working on a laptop using windows 7 professional, JDK 1.7.0_04,
Eclipse Juno (Build id: 20120614-1722) and JBoss 7.1.1

In JBoss I created two application users.
The result (without the comments above) can be seen in the following two files (in ~ \jboss-as-7.1.1.Final\standalone\configuration)



I created a new EJB Project with the name DemoSecurityMini.

As shown in the following interface and the implementing session bean, I experimented with the effect of @PermitAll (method printStatement()), @DenyAll (method destroyBank()) , @RolesAllowed (method createAccount()) and the method isRollerInRole() (see method withdrawMoney(int amount)).

The client shown in the following lines tries to invoke the above shown methods for the two roles „clerk“ and „admin“.

The client uses the following utility class (I list only the important code lines for the problem.)

At last I add the two exception classes.

Starting the JBoss AS 7.1.1 I got the expected namespace (so I think the class ServiceLocator is working well.)

Besides I used Ant to build the project. I got a jar-file DemoSecurityMini.jar and an ear-file DemoSecurityMini.ear. In my opinion this also seems to be all right.

I started the client and got the following result:

(1) This is what I expected.
(2) For the role „clerk“ I have expected that the method createAccount() will not be
executed. Instead of this there should have been the exception-message
„----- No permission for creating account“.
(3) This is what I excepted.
(4) For the role „clerk“ I have expected that withdrayMoney(1001) would return
„ok: You are clerk and may withdraw 1001“
(5) In respect to the @DenyAll annotation I had expected
„****** Illegal You must not destroy the bank!!!“

(6) This is what I expected.
(7) This is what I expected.
(8) This is what I expected.
(9) The user admin is part of the @RolesAllowed, so in my opinion the method
should be executed. As the role „admin“ differs from the role „clerk“ there
should be thrown a WithdrawException. So in my opinion we should see
„Not ok. Only clerk is allowed to withdraw 1001“
(10) I expected another result (see (5)).

I would be very glad if somebody can help me. Thanks a lot for your encouragement!


It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!