5 Replies Latest reply on May 10, 2010 6:12 AM by daniell

    security declarations in ejb-jar.xml ignored?

    daniell

      Hello!

       

      I've a problem while setting EJB3 access restrictions in the ejb-jar.xml. I'm using JBoss 4.2.3 AS.

      There are several modules which are packaged as JAR and deployed together as a single EAR file on the JBoss AS. In one module, everything seems to be fine. If I add the following lines to the ejb-jar.xml, access is restricted as expected:

      {code}

        <assembly-descriptor>
          <method-permission>
            <role-name>BookListerServiceAccess</role-name>
            <method>
              <ejb-name>BookListerServiceBean</ejb-name>
              <method-name>*</method-name>
            </method>
          </method-permission>
        </assembly-descriptor>

      {code}

      Only users with the role BookListerServiceAccess can access the ServiceBean.

      In another module, I've a similar situation with DAOs, but here a definition like above doesn't work:

      {code}

        <assembly-descriptor>
          <method-permission>
            <role-name>AuthorDAOAccess</role-name>
            <method>
              <ejb-name>AuthorDAOBean</ejb-name>
              <method-name>*</method-name>
            </method>
          </method-permission>
        </assembly-descriptor>

      {code}

      It seems that the contents of the ejb-jar.xml file are ignored. This is the file jboss.xml living besides ejb-jar.xml:

      {code}

          <security-domain>java:/jaas/my-policy</security-domain>

       

          <enterprise-beans>
              <session>
                <ejb-name>AuthorDAOBean</ejb-name>
                <jndi-name>ejb/JEEDEMO/DAO/AuthorDAO/remote</jndi-name>
                <local-jndi-name>ejb/JEEDEMO/DAO/AuthorDAO/local</local-jndi-name>
              </session>
          </enterprise-beans>
      {code}

      Both beans are annotated as @Stateless and I was not able to find any difference in the module-setup. I know that this isn't a lot of information, but I even don't know which further information I should provide here in order to help you to help me. I've the feeling that I've compared every character in the modules and tried out almost everything. But probably I missed one important thing...

        • 1. Re: security declarations in ejb-jar.xml ignored?
          daniell

          I just want to add, that the access is restricted correctly if I add the @RolesAllowed Annotation to the DAO bean. So basically the things are working - but not with the usage of the ejb-jar.xml.

          • 2. Re: security declarations in ejb-jar.xml ignored?
            daniell

            Ok - now I found out some interesting things:

            The DAO object I want to protect extends another class.

             

            1. If I add some method name in the ejb-jar.xml file, the access to this method is restricted as expected. No matter if this method is defined in the DAO class itself or inherited from some base class.
            2. If I add the @RolesAllowed annotation to the DAO class, the access to every method (implemented and inherited ones) is restricted.
            3. If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!

             

            I thought (and read in many books and articles) that @RolesAllowed on class level has the same meaning than using the * as method-name in the ejb-jar.xml, but obviously it has not. Is there something else I have to configure to get the desired behaviour (I don't want to use the annotations, but exclusively the xml-configuration)?

            • 3. Re: security declarations in ejb-jar.xml ignored?
              jaikiran

              Daniel Lechner wrote:

               

              1. If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!

               

              Is that method from base class, exposed as a business interface method from the bean's business interface?

              • 4. Re: security declarations in ejb-jar.xml ignored?
                jaikiran

                Daniel Lechner wrote:

                 

                Hello!

                 

                I've a problem while setting EJB3 access restrictions in the ejb-jar.xml. I'm using JBoss 4.2.3 AS.

                JBoss AS 4.2.3 wasn't fully EJB3 compliant. There have been numerous changes in AS-5.1.0. You might want to use JBoss AS 5.1.0 and apply our latest EJB3 plugin http://www.jboss.org/ejb3/ejb3plugin.html on it and then see if it works there.

                • 5. Re: security declarations in ejb-jar.xml ignored?
                  daniell

                  jaikiran pai schrieb:

                   

                  Daniel Lechner wrote:

                   

                  1. If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!

                   

                  Is that method from base class, exposed as a business interface method from the bean's business interface?

                  The business interface, which is annotated with @javax.ejb.Remote does not contain the mentioned methods itself, but inherits it from another interface. At the interfaces we have a similar hierarchie compared to that on the class side.

                   

                   

                  But from your remark on JBoss AS 4.2.3 I suppose, that this unexpected behaviour is because the used JBoss AS is not fully compliant to EJB3? So my question than: how did others, using JBoss AS 4.2.3 implement security features to their application?