[jboss-user] [Security & JAAS/JBoss] - Method permissions are ignored

johanley do-not-reply at jboss.com
Sun Dec 7 17:42:34 EST 2008 

(I am relatively new to EJBs.)

Using JBoss 4.2.3, EJB 2.0, JDK 1.5. 

Trying to add access control to an EJB, using the simple properties file style of domain.

Not working. It's as if the method permissions I define in ejb-jar.xml are not picked up. Error message :

Insufficient method permissions, principal=admin, ejbName=CurrentTimeEJB, method=create, interface=HOME, requiredRoles=[], principalRoles=[Manager,  Clerk]

The problem is that the requiredRoles are empty, and they shouldn't be. 

The login seems to succeed OK.

jboss.xml:


  | <jboss>
  |   <security-domain>java:/jaas/simple-domain</security-domain>
  |   <!-- <missing-method-permissions-excluded-mode>false</missing-method-permissions-excluded-mode> -->
  | </jboss>
  | 

When the second item above is uncommented, it works fine. But that means that my method permissions are not being 'seen' in the first place.

ejb-jar.xml:


  | <?xml version="1.0"?>
  | <!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD 
  | Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
  | 	<ejb-jar>
  | 
  |    <enterprise-beans>
  |       <session>
  |          <ejb-name>CurrentTimeEJB</ejb-name>
  |          <remote>simpleejb.timeserver.CurrentTimeRemote</remote>
  |          <home>simpleejb.timeserver.CurrentTimeRemoteHome</home>
  |          <ejb-class>simpleejb.timeserver.CurrentTimeBean</ejb-class>
  |          <session-type>Stateless</session-type>
  |          <transaction-type>Container</transaction-type>
  |       </session>
  |    </enterprise-beans>
  |    
  |    <assembly-descriptor>
  |      <security-role>
  |        <role-name>Manager</role-name>
  |      </security-role>    
  |      <security-role>
  |        <role-name>Clerk</role-name>
  |      </security-role>    
  |   
  |      <method-permisson>
  |        <role-name>Manager</role-name>
  |        <method>
  |          <ejb-name>CurrentTimeEJB</ejb-name>
  |          <method-name>*</method-name>
  |        </method>
  |      </method-permisson>
  | 
  |      <method-permisson>
  |        <role-name>Clerk</role-name>
  |        <method>
  |          <ejb-name>CurrentTimeEJB</ejb-name>
  |          <method-name>*</method-name>
  |        </method>
  |      </method-permisson>
  |   </assembly-descriptor>
  |    
  | </ejb-jar>
  | 

There's no error message when I deploy the bean. 

Any help appreciated. Thanks in advance.

- John

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4194918#4194918

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4194918

More information about the jboss-user mailing list