geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Hogstrom (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1053) Session Bean, Finder, & Method Permissions
Date Thu, 17 Nov 2005 12:00:41 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1053?page=comments#action_12357870 ] 

Matt Hogstrom commented on GERONIMO-1053:
-----------------------------------------

Need a read on whether this will get fixed for 1.0 or not.  I suspect that most folks aren't
using permissions but does this JIRA imply that permissions are broken as a whole ?

> Session Bean, Finder, & Method Permissions
> ------------------------------------------
>
>          Key: GERONIMO-1053
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1053
>      Project: Geronimo
>         Type: Bug
>   Components: OpenEJB, security
>     Versions: 1.0-M5
>     Reporter: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0

>
> I have an EAR with a Web App, Session Bean, and CMP Entity Bean, using the M5 release.
> The user brings up a secure page on the web app and logs in.
> The web code invoked after the login calls the session bean.
> The session bean calls a finder on the entity bean, and gets this (in the session bean
method code, where it calls the finder):
> Caused by: javax.ejb.TransactionRolledbackLocalException
>         at org.openejb.transaction.ContainerPolicy$TxRequired.invoke(ContainerPolicy.java:123)
>         at org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
>         at org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
>         at org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:545)
>         at org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
>         at org.openejb.proxy.EJBMethodInterceptor.intercept(EJBMethodInterceptor.java:129)
>         at org.openejb.proxy.EntityEJBLocalHome$$EnhancerByCGLIB$$afb1a239.findAll(<generated>)
>         at org.loadmagus.ejb.TestManagerBean.getAllApplications(TestManagerBean.java:70)
>         ... 48 more
> Caused by: javax.ejb.AccessLocalException: access denied (javax.security.jacc.EJBMethodPermission
EntityBean findAll,LocalHome,)
>         at org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:107)
>         at org.apache.geronimo.naming.java.ComponentContextInterceptor.invoke(ComponentContextInterceptor.java:56)
>         at org.openejb.ConnectionTrackingInterceptor.invoke(ConnectionTrackingInterceptor.java:81)
>         at org.openejb.entity.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:136)
>         at org.openejb.entity.cmp.InTxCacheInterceptor.invoke(InTxCacheInterceptor.java:84)
>         at org.openejb.transaction.ContainerPolicy$TxRequired.invoke(ContainerPolicy.java:119)
>         ... 55 more
> The ejb-jar.xml for the EJBs in question has:
>         <security-role>
>             <role-name>Developer</role-name>
>         </security-role>
>         <method-permission>
>             <role-name>Developer</role-name>
>             <method>
>                 <ejb-name>SessionBean</ejb-name>
>                 <method-name>*</method-name>
>             </method>
>         </method-permission>
>         <method-permission>
>             <role-name>Developer</role-name>
>             <method>
>                 <ejb-name>EntityBean</ejb-name>
>                 <method-name>*</method-name>
>             </method>
>         </method-permission>
> So it's a little odd that the session bean sees a transaction rolled back exception rather
than the real security exception, but whatever.
> The real problem is that both the session bean and the entity bean are covered by identical
all-inclusive method permission blocks, so if the user got into the session bean, there should
be no reason they can't get into the entity bean.  The syntax above is specifically supported
in the ejb-jar-2_1.xsd Schema (#1; "This style is used to refer to all the methods of the
specified enterprise bean's home, component, and/or web service endpoint interfaces.")

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message