geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Closed: (GERONIMO-634) openejb jacc has contextID per ejb rather than contextID per ejb module
Date Mon, 18 Apr 2005 19:07:48 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-634?page=all ]
     
David Jencks closed GERONIMO-634:
---------------------------------

     Resolution: Fixed
    Fix Version: 1.0-M4

Fixed.  Only openejb changes needed, commit includes issue number.

> openejb jacc has contextID per ejb rather than contextID per ejb module
> -----------------------------------------------------------------------
>
>          Key: GERONIMO-634
>          URL: http://issues.apache.org/jira/browse/GERONIMO-634
>      Project: Geronimo
>         Type: Bug
>   Components: OpenEJB
>     Versions: 1.0-M3
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.0-M4

>
> Currently openejb creates a policy context for each ejb, containing only those permissions
relevant to that ejb.  This appears to be contrary to the jacc spec:
> On p.4 we see this definition:
> Policy Context The collection of policy statements within a policy  provider that affect
access to the resources of one or more  deployed modules.
> section 3.1.1 also appears to indicate that a policy context corresponds to a j2ee module:
> Each policy context contains all of the policy statements (as defined by this  specification)
that affect access to the resources in one or more deployed modules.    
> section 3.1.5, dealing with translation of the xml dd to permissions inside PolicyConfiguration
objects, also looks to me as if the authors assume that there is one contextID for each ejb
module.  For instance 3.1.5.1 reads:
> For each method element of each method-permission element, an  EJBMethodPermission object
translated from the method element must be added to the policy statements of the PolicyConfiguration
object. 
> Our implementation is externally indistinguishable from the per-module implementation
mandated by the spec: it will allow exactly the same access.  It is also slightly marginally
simpler at runtime although marginally more complicated at deploy time than the spec mandated
structure.
> Note that in general permissions for several modules cannot be put in a single policy
context.  Two web modules may have servlets at the same local url, differing only in context
root, with different permissions, and two ejb modules may have identically named ejbs with
different permissions.  Such cases cannot include permissions from both modules in a single
policy context.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message