geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-4367) default-subject does not work with EJB security
Date Fri, 17 Oct 2008 17:51:44 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-4367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Vamsavardhana Reddy updated GERONIMO-4367:
------------------------------------------

    Attachment: GERONIMO-4367-testcase.zip

GERONIMO-4367-testcase.zip has the necessary files to verify this issue.  Instructions are
in README.TXT in the archive.

> default-subject does not work with EJB security
> -----------------------------------------------
>
>                 Key: GERONIMO-4367
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4367
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.1.3, 2.2
>            Reporter: Vamsavardhana Reddy
>             Fix For: 2.2
>
>         Attachments: GERONIMO-4367-testcase.zip
>
>
> The default-subject does not seem to work with EJB security. I have verified this in
the following scenario:
> I have a stateless bean BankBean1 as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> public class BankBean1 implements Bank {
>     @RolesAllowed({"customer", "bank"})
>     public Double getBalance(Integer account) {
>         return data.get(account);
>     }
>    
>     @RolesAllowed({"bank"})
>     public Double creditAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
>     @RolesAllowed({"bank"})
>     public Double debitAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
> }
> I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and
uses @RunAs as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> @RunAs(value = "bank")
> public class BankBean2 implements Bank2 {
>    
>     @EJB
>     private Bank bank; // BankBean1 gets injected here.
>     public Double getBalance(Integer account) {
>         return bank.getBalance(account);
>     }
>    
>     public Double creditAccount(Integer account, Double amt) {
>         return bank.creditAccount(account, amt);
>     }
>     public Double debitAccount(Integer account, Double amt) {
>         return bank.debitAccount(account, amt);
>     }
> }
> In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank"
role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified.  But if
I don't specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke
BankBean1 as per the default-subject specified.
> Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message