[jboss-user] [Security] - ejb not validating user role at session bean methods + JAAS

akhilachuthan do-not-reply at jboss.com
Tue Oct 20 08:31:11 EDT 2009


Im using ejb3 with JAAS and has defined the security policy in login-config.xml file.  The policy is specified in my ear's META-INF/jboss.xml file.
But i see that even when i define the server method with a role that is not in the role list of the user calling the server method, the container allows the method to be accessed.

for debugging i tried printing SessionContext.isCallerInRole(role) within the method with the role as my method role. Now this is returned false as expected. In such a case ejb should not have allowed the calling function to access the method at all...

My configuration was something that has worked well for jboss4. all these problems started once after i migrated to jboss5...

What am i doing wrong here, or is there anything else that has to be configured....


Thanks


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261251#4261251

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4261251



More information about the jboss-user mailing list