[EJB 3.0] - Security annotations not working in 5.0.0.Beta3
by javidjamae
I'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:
| @SecurityDomain("simple-security-domain")
| @RolesAllowed( { "bank-manager", "teller" })
| @Stateless
| public class StatelessCalculatorBean implements Calculator, CalculatorRemote {
|
| @EJB(beanName = "InterestRateMBean")
| private InterestRateManager interstRateManager;
|
| public double calculateTotalInterest(double presentValue, int years) {
| return calculateFutureValue(presentValue, years) - presentValue;
| }
|
| @RolesAllowed("teller")
| public double calculateFutureValue(double presentValue, int years) {
| double interestRate = interstRateManager.getInterestRate() / 100;
| return presentValue * Math.pow((1.0 + interestRate), years);
| }
|
| @RolesAllowed("bank-manager")
| public double getInterestRate() {
| return interstRateManager.getInterestRate();
| }
|
| @DenyAll
| public String getTheAnswerToLifeTheUniverseAndEverything() {
| return "42";
| }
|
| @PermitAll
| public String freeForAll() {
| return "You're in!";
| }
|
| }
Here are my roles:
| admin=bank-manager,teller
| bank-manager=bank-manager
| teller=teller
| joe=customer
|
Here is what happens when I try to access the various methods from a standalone client:
| --------------------------------------------
| User: admin, Roles: bank-manager, teller
| --------------------------------------------
| admin could call calculateFutureValue (requires 'teller')
| admin could call calculateTotalInterest (requires 'bank-manager' or 'teller')
| admin could call getInterestRate (requires 'bank-manager')
| admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
| admin could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: bank-manager, Roles: bank-manager
| --------------------------------------------
| bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized
| bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller')
| bank-manager could call getInterestRate (requires 'bank-manager')
| bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
| bank-manager could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: teller, Roles: teller
| --------------------------------------------
| teller could call calculateFutureValue (requires 'teller')
| teller could call calculateTotalInterest (requires 'bank-manager' or 'teller')
| teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
| teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
| teller could not call freeForAll (PermitAll) - Caller unauthorized
| --------------------------------------------
| User: joe, Roles: customer
| --------------------------------------------
| joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized
| joe could call calculateTotalInterest (requires 'bank-manager' or 'teller')
| joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
| joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
| joe could not call freeForAll (PermitAll) - Caller unauthorized
|
There are two problems (bugs?):
1) Permit all does not work for any of the roles
2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access.
Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4123579#4123579
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4123579
18 years, 3 months
[JBoss Seam] - Transaction recovery
by breako
Hi,
I am using SEAM Managed EntityManager with FushMode set to Manual for a JTA datasource.
When I flush the EntityManager for some invalid update, I get a database exception.
I catch this exception, the entity I am updating is still attached and I try to correct the invalid data and then try to reflush the update. However I can't persist the change even though this time it is valid. I get a javax.persistence.TransactionRequiredException: no transaction is in progress exception.
I am wondering is there any way I can recover from transaction failure?
My code is below.
| @Name("manager")
| @Scope(CONVERSATION)
| public void SeamPOJO {
| @In
| private EntityManager em;
|
| @End
| public String commit () {
| // Create entity
| Person person = new Person();
| // set invalid data
| person.setName("namethatistoolong");
| em.persist(person);
| try {
| em.flush();
| } catch (Exception e) {
| // data is invalid correct it
| person.setName("john");
| em.flush();
| }
| }
|
~any advice, comments appreciated. Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4123575#4123575
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4123575
18 years, 3 months