[jboss-user] [Security & JAAS/JBoss] - Does <method-permission> overwrite prevoius entry in ejb-jar
DarekS
do-not-reply at jboss.com
Wed May 20 06:49:17 EDT 2009
Hi
I'm trying to restrict EJB method "add" in remote interface, and leave the same method in local interface accessible freely. I tried to use <method-intf> tag to distinguish interfaces. I have following entries:
...
| <assembly-descriptor>
| <security-role>
| <description>Calculator guest</description>
| <role-name>guest</role-name>
| </security-role>
|
| <security-role>
| <description>Calculator external role</description>
| <role-name>externalUser</role-name>
| </security-role>
|
| <method-permission>
| <role-name>guest</role-name>
| <method>
| <ejb-name>CalculatorBean</ejb-name>
| <method-intf>Home</method-intf>
| <method-name>add</method-name>
| </method>
| </method-permission>
|
| <method-permission>
| <role-name>externalUser</role-name>
| <method>
| <ejb-name>CalculatorBean</ejb-name>
| <method-intf>Remote</method-intf>
| <method-name>add</method-name>
| </method>
| </method-permission>
| </assembly-descriptor>
| ...
During debugging I saw that only externaUser role is available for "add". It seems that previous <method-permission> is overwritten. My "guest" role is unknown. If I comment last entry, then the "guest" role is available.
I'm invoking EJB via local interface, from another stateless EJB (packed in other jar file, but delivered in the same EAR). Caller is recognized as "guest"
Do you know what is going on? Am I specifying permissions in incorrect way? Or did I miss something important? My login-config.xml is configured to accept "unauthenticatedIdentity"
JBoss: 4.2.0 GA
JDK: 1.6.0 u13
Thanks in advance!
Darek
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4232186#4232186
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4232186
More information about the jboss-user
mailing list