[jboss-user] [EJB 3.0] - Security annotations not working in 5.0.0.Beta3

Fri Jan 25 11:38:27 EST 2008

I'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:

  | @SecurityDomain("simple-security-domain")
  | @RolesAllowed( { "bank-manager", "teller" })
  | @Stateless
  | public class StatelessCalculatorBean implements Calculator, CalculatorRemote {
  | 
  | 	@EJB(beanName = "InterestRateMBean")
  | 	private InterestRateManager interstRateManager;
  | 
  | 	public double calculateTotalInterest(double presentValue, int years) {
  | 		return calculateFutureValue(presentValue, years) - presentValue;
  | 	}
  | 
  | 	@RolesAllowed("teller")
  | 	public double calculateFutureValue(double presentValue, int years) {
  | 		double interestRate = interstRateManager.getInterestRate() / 100;
  | 		return presentValue * Math.pow((1.0 + interestRate), years);
  | 	}
  | 
  | 	@RolesAllowed("bank-manager")
  | 	public double getInterestRate() {
  | 		return interstRateManager.getInterestRate();
  | 	}
  | 
  | 	@DenyAll
  | 	public String getTheAnswerToLifeTheUniverseAndEverything() {
  | 		return "42";
  | 	}
  | 
  | 	@PermitAll
  | 	public String freeForAll() {
  | 		return "You're in!";
  | 	}
  | 
  | }

Here are my roles:

  | admin=bank-manager,teller
  | bank-manager=bank-manager
  | teller=teller
  | joe=customer
  | 

Here is what happens when I try to access the various methods from a standalone client:

  | --------------------------------------------
  | User: admin, Roles: bank-manager, teller
  | --------------------------------------------
  | admin could call calculateFutureValue (requires 'teller')
  | admin could call calculateTotalInterest (requires 'bank-manager' or 'teller')
  | admin could call getInterestRate (requires 'bank-manager')
  | admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
  | admin could not call freeForAll (PermitAll) - Caller unauthorized
  | --------------------------------------------
  | User: bank-manager, Roles: bank-manager
  | --------------------------------------------
  | bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized
  | bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller')
  | bank-manager could call getInterestRate (requires 'bank-manager')
  | bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
  | bank-manager could not call freeForAll (PermitAll) - Caller unauthorized
  | --------------------------------------------
  | User: teller, Roles: teller
  | --------------------------------------------
  | teller could call calculateFutureValue (requires 'teller')
  | teller could call calculateTotalInterest (requires 'bank-manager' or 'teller')
  | teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
  | teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
  | teller could not call freeForAll (PermitAll) - Caller unauthorized
  | --------------------------------------------
  | User: joe, Roles: customer
  | --------------------------------------------
  | joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized
  | joe could call calculateTotalInterest (requires 'bank-manager' or 'teller')
  | joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
  | joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
  | joe could not call freeForAll (PermitAll) - Caller unauthorized
  | 

There are two problems (bugs?):

1) Permit all does not work for any of the roles
2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access.

Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs. 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4123579#4123579

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4123579