geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-4367) default-subject does not work with EJB security
Date Fri, 17 Oct 2008 17:43:44 GMT
default-subject does not work with EJB security
-----------------------------------------------

                 Key: GERONIMO-4367
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4367
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.1.3, 2.2
            Reporter: Vamsavardhana Reddy
             Fix For: 2.2


The default-subject does not seem to work with EJB security. I have verified this in the following
scenario:

I have a stateless bean BankBean1 as given below:

@Stateless
@DeclareRoles(value = {"bank", "customer"})
public class BankBean1 implements Bank {

    @RolesAllowed({"customer", "bank"})
    public Double getBalance(Integer account) {
        return data.get(account);
    }
   
    @RolesAllowed({"bank"})
    public Double creditAccount(Integer account, Double amt) {
        ...
        return value;
    }

    @RolesAllowed({"bank"})
    public Double debitAccount(Integer account, Double amt) {
        ...
        return value;
    }
}

I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and uses
@RunAs as given below:
@Stateless
@DeclareRoles(value = {"bank", "customer"})
@RunAs(value = "bank")
public class BankBean2 implements Bank2 {
   
    @EJB
    private Bank bank; // BankBean1 gets injected here.

    public Double getBalance(Integer account) {
        return bank.getBalance(account);
    }
   
    public Double creditAccount(Integer account, Double amt) {
        return bank.creditAccount(account, amt);
    }

    public Double debitAccount(Integer account, Double amt) {
        return bank.debitAccount(account, amt);
    }
}

In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank" role,
BankBean2 is able to invoke BankBean1 as per that run-as-subject specified.  But if I don't
specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke BankBean1
as per the default-subject specified.

Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message