Robert Brendler <robert.brendler@gmail.com> wrote, in response to Robert Brendler:
I could only achieve my intended result by adding an additional
if ( ctx.isCallerInRole("user") && !ctx.isCallerInRole("guest") ) { // needs to explicitly exclude all other roles
return principal.toString();
} else {
// throw new EJBAccessException("Username '"+principal.toString()+"' does NOT have role 'user'");
return null; // for the lazy ones
}
this is far from desireable ...
IP address: 87.139.232.83
Robert Brendler wrote:
I am not sure if this is valid usage of ejb security but when I add another possible role in @ServletSecurity, lets simply call it "user". Role "user" does not include rights of "guest" and vice versa, so when I annotate a second method in the SecuredEjb like the following I expect that it is forbidden for "guest". @RolesAllowed({"user"}) public String getSecurityInfoUser() I log in as "guest" and in the Servlet's doGet() method make a call to both methods, both return the same result. This leads me to the conclusion that all security annotations in SecuredEjb are rather useless, because the actual authorization happens via the authentication in the Servlet via @ServletSecurity. Basically this means I will have to...
Options: You can moderate through email. Respond in the body with "Delete", "Approve", or "Spam". Reply with "Like" to like this comment, or respond in the body to post a reply comment. Or use the moderate panel: http://jdf.disqus.com/admin/moderate/#/pending
