geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan <>
Subject Re: Geronimo EJB security
Date Wed, 10 Jun 2009 07:45:14 GMT
 I am not sure if I express myself clearly in the last email.
 For example, in the ejb-jar.xml file, no method permission is defined, only
some run as configuration, and in the geronimo's plan, a securiy
configuration is defined. Before the changes I did, the builder checks
whether there are method permission definitions in the ejb-jar.xml, if not,
the builder would not create the JACC Manager for that configuration even if
there is securiy configuration in the Geronmo's plan, which caused many
cases failed for access denied.
 Thanks !

2009/6/10 David Jencks <>

> Hi Ivan,
> On Jun 9, 2009, at 6:55 PM, Ivan wrote:
> Thanks, David, I have changed some codes about EJB security, for it made
> some cases failed. Currently, I use whether securiy segment exists in the
> deployment plan to decide that , JACC Manager is or not need to be created.
> I think that's what we used to do and it is very wrong.  It makes it too
> easy to deploy an app without security you expect because you don't
> understand how to write a geronimo plan.  What we want is that if there are
> security annotations in the ejbs or if security is configured in the
> ejb-jar.xml spec deployment descriptor, then we require security
> configuration in the geronimo plan and set up the JACC stuff.
> I thought I found all the tck tests that had security in the spec dd or
> annotations and fixed the plans, but it's entirely possible I missed some.
>  We should add security config to the geronimo plans rather than allowing
> decployment.
> thanks
> david jencks
> Ivan
> 2009/6/10 David Blevins <>
>> On Jun 2, 2009, at 11:08 PM, Ivan wrote:
>>    1. If there is no method-permission for an EJB in the ejb-jar.xml,
>>> shall we still need a JACC Manager, which in it, we grant the all access
>>> permissions ?
>>>   2. When we will say that the EJBDeploymentGBean of an EJB is not
>>> security-enabled. In the current codes, the value seems always set to true.
>> It seems both questions boil down to "if the user isn't using security,
>> can we have security-enabled set to false?"  IIRC, that's what we did.
>>  Though this part might have been changed along with David J's changes to
>> make it so that an app with EJB method-permissions (or equivalent
>> annotations) would fail on deployment if no security was setup.
>> -David
> --
> Ivan


View raw message