geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Created: (GERONIMO-634) openejb jacc has contextID per ejb rather than contextID per ejb module
Date Sat, 16 Apr 2005 19:58:58 GMT
openejb jacc has contextID per ejb rather than contextID per ejb module

         Key: GERONIMO-634
     Project: Geronimo
        Type: Bug
  Components: OpenEJB  
    Versions: 1.0-M3    
    Reporter: David Jencks
 Assigned to: David Jencks 

Currently openejb creates a policy context for each ejb, containing only those permissions
relevant to that ejb.  This appears to be contrary to the jacc spec:

On p.4 we see this definition:
Policy Context The collection of policy statements within a policy  provider that affect access
to the resources of one or more  deployed modules.

section 3.1.1 also appears to indicate that a policy context corresponds to a j2ee module:

Each policy context contains all of the policy statements (as defined by this  specification)
that affect access to the resources in one or more deployed modules.    

section 3.1.5, dealing with translation of the xml dd to permissions inside PolicyConfiguration
objects, also looks to me as if the authors assume that there is one contextID for each ejb
module.  For instance reads:
For each method element of each method-permission element, an  EJBMethodPermission object
translated from the method element must be added to the policy statements of the PolicyConfiguration

Our implementation is externally indistinguishable from the per-module implementation mandated
by the spec: it will allow exactly the same access.  It is also slightly marginally simpler
at runtime although marginally more complicated at deploy time than the spec mandated structure.

Note that in general permissions for several modules cannot be put in a single policy context.
 Two web modules may have servlets at the same local url, differing only in context root,
with different permissions, and two ejb modules may have identically named ejbs with different
permissions.  Such cases cannot include permissions from both modules in a single policy context.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
If you want more information on JIRA, or have a bug to report see:

View raw message