geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Geronimo EJB security
Date Wed, 10 Jun 2009 07:27:56 GMT
Hi Ivan,
On Jun 9, 2009, at 6:55 PM, Ivan wrote:

> Thanks, David, I have changed some codes about EJB security, for it  
> made some cases failed. Currently, I use whether securiy segment  
> exists in the deployment plan to decide that , JACC Manager is or  
> not need to be created.

I think that's what we used to do and it is very wrong.  It makes it  
too easy to deploy an app without security you expect because you  
don't understand how to write a geronimo plan.  What we want is that  
if there are security annotations in the ejbs or if security is  
configured in the ejb-jar.xml spec deployment descriptor, then we  
require security configuration in the geronimo plan and set up the  
JACC stuff.

I thought I found all the tck tests that had security in the spec dd  
or annotations and fixed the plans, but it's entirely possible I  
missed some.  We should add security config to the geronimo plans  
rather than allowing decployment.

david jencks

> Ivan
> 2009/6/10 David Blevins <>
> On Jun 2, 2009, at 11:08 PM, Ivan wrote:
>   1. If there is no method-permission for an EJB in the ejb-jar.xml,  
> shall we still need a JACC Manager, which in it, we grant the all  
> access permissions ?
>   2. When we will say that the EJBDeploymentGBean of an EJB is not  
> security-enabled. In the current codes, the value seems always set  
> to true.
> It seems both questions boil down to "if the user isn't using  
> security, can we have security-enabled set to false?"  IIRC, that's  
> what we did.  Though this part might have been changed along with  
> David J's changes to make it so that an app with EJB method- 
> permissions (or equivalent annotations) would fail on deployment if  
> no security was setup.
> -David
> -- 
> Ivan

View raw message