[jboss-jira] [JBoss JIRA] Reopened: (JBAS-5960) EJB2: Lack of security domain in JBoss DD does not bypass security

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Mon Oct 20 16:20:20 EDT 2008 

     [ https://jira.jboss.org/jira/browse/JBAS-5960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana reopened JBAS-5960:
---------------------------------



Marcus, can you modify the test to include cases that pass also

========================
public void testEJB() throws Exception
   { 
      log.debug("+++ testEJBNullSecurityDomain");
      Object obj = getInitialContext().lookup("null.StatelessSession");
      obj = PortableRemoteObject.narrow(obj, StatelessSessionHome.class);
      StatelessSessionHome home = (StatelessSessionHome) obj;
      log.debug("Found null.StatelessSession Home");
      StatelessSession bean = null;
      try
      {
         bean = home.create(); 
         fail("Invoking create() should fail");
      }
      catch (Exception e)
      {
         Throwable t = e.getCause();
         if (t instanceof SecurityException)
         {
            log.debug("Invoking create() was correctly denied by a SecurityException:", e); 
         }
         else
         {
            log.debug("Invoking create() failed by an unexpected reason:", e);
            fail("Unexpected exception");
         }
      }
      SecurityClient client = SecurityClientFactory.getSecurityClient();
      client.setSimple(username, password);
      client.login();
      try
      {
         bean = home.create(); 
         bean.echo("hi");
      }
      catch(Exception e)
      {
         fail(e.getLocalizedMessage());
      }
   }

=============================

An example.

> EJB2: Lack of security domain in JBoss DD does not bypass security
> ------------------------------------------------------------------
>
>                 Key: JBAS-5960
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5960
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: EJB2
>    Affects Versions: JBossAS-5.0.0.CR1
>            Reporter: Anil Saldhana
>            Assignee: Marcus Moyses
>             Fix For: JBossAS-5.0.0.GA
>
>
> Currently, if there is no security domain defined for a deployment, we bypass security with a fat WARN message.  But if there is presence of security meta data for the deployment (EJB2 method perms in ejb-jar.xml), there is an expectation of security enforcement. In this case, we need to default the security domain to "other".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list