geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4367) default-subject does not work with EJB security
Date Tue, 26 May 2009 19:04:45 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713192#action_12713192
] 

David Jencks commented on GERONIMO-4367:
----------------------------------------

I think it's not clear how an ejb default subject ought to work.  I'll try to explain my point
of view.

DefaultSubject is supposed to provide an identity when there is no other source.  If you don't
specify a default identity, then geronimo will assign one that has no principals.
I think the ejb default subject is only relevant when a remote ejb request comes into the
server with no authenticated identity.  However all requests from a web app will have gone
through the web app and it will have assigned a default identity.  Therefore by the time a
request gets from a web app to an ejb, it will have an identity and the ejb default subject
won't be used.

>From looking at your sample app I think that this is what is happening.  If you set the
default subject you want in the web app I would expect it to work.  Alternatively you could
use a run-as role on the servlet.

> default-subject does not work with EJB security
> -----------------------------------------------
>
>                 Key: GERONIMO-4367
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4367
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.1.3, 2.2
>            Reporter: Vamsavardhana Reddy
>            Assignee: David Jencks
>             Fix For: 2.2
>
>         Attachments: GERONIMO-4367-testcase.zip
>
>
> The default-subject does not seem to work with EJB security. I have verified this in
the following scenario:
> I have a stateless bean BankBean1 as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> public class BankBean1 implements Bank {
>     @RolesAllowed({"customer", "bank"})
>     public Double getBalance(Integer account) {
>         return data.get(account);
>     }
>    
>     @RolesAllowed({"bank"})
>     public Double creditAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
>     @RolesAllowed({"bank"})
>     public Double debitAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
> }
> I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and
uses @RunAs as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> @RunAs(value = "bank")
> public class BankBean2 implements Bank2 {
>    
>     @EJB
>     private Bank bank; // BankBean1 gets injected here.
>     public Double getBalance(Integer account) {
>         return bank.getBalance(account);
>     }
>    
>     public Double creditAccount(Integer account, Double amt) {
>         return bank.creditAccount(account, amt);
>     }
>     public Double debitAccount(Integer account, Double amt) {
>         return bank.debitAccount(account, amt);
>     }
> }
> In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank"
role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified.  But if
I don't specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke
BankBean1 as per the default-subject specified.
> Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message