geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Jiang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4587) Array security issue
Date Tue, 02 Jun 2009 09:35:07 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12715439#action_12715439
] 

Shawn Jiang commented on GERONIMO-4587:
---------------------------------------

I can't recreate this problem. 


I used a EJB with three method in remote interface.

public String getName();
	
public String getName1(String name);
	
public String getName2(String name, int pos);

@DeclareRoles( { "MANAGERS_ROLE", "USERS_ROLE" }) in EJB class.

@RolesAllowed( { "MANAGERS_ROLE"}) in each of the method.


Then use a user in USERS_ROLE to execute all three of the methods.   All the access attempts
failed with "javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied"


Can you share more info on how to reproduce this jira ?   BTW, what do you mean when you talked
about "We have also confirmed that the security system fails if a "proper array" is used instead
of the "vararg array". "   ?

Thanks.




> Array security issue
> --------------------
>
>                 Key: GERONIMO-4587
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4587
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.2
>         Environment: Java 6 on OS X 10.5.
>            Reporter: Trygve Hardersen
>
> We have a stateless session bean called SSB, with a method called getX:
> SSB#getX(java.lang.String)
> Our security model has 5 roles; admin, anonymous, customer, partner and system. Users
can only be in one role. SSB is accessible for all roles, but the getX method does not allow
anonymous access. So we have these annotations:
> @DeclareRoles({
>     Constants.ROLE_ADMIN,
>     Constants.ROLE_ANONYMOUS,
>     Constants.ROLE_CUSTOMER,
>     Constants.ROLE_PARTNER,
>     Constants.ROLE_SYSTEM})
> public class SSB ....
> @RolesAllowed({
>     Constants.ROLE_ADMIN,
>     Constants.ROLE_CUSTOMER,
>     Constants.ROLE_PARTNER,
>     Constants.ROLE_SYSTEM})
> public X getX(String y)
> In out test suite I have a simple test case to verify that access by users in the anonymous
role (unauthenticated web users) is not permitted for the getX method:
> SSB anonymous_service = LOG_IN_AS_ANONYMOUS_USER....
> X obj = null;
> EJBAccessException eae = null;
> try{
>         obj = anonymous_service.getX("test")
> ;
> }catch (EJBAccessException e) {
>           eae = e;
> }
> Assert.assertNull(obj);
> Assert.assertNotNull(eae);
> Assert.assertEquals(eae.getMessage(), "Unauthorized Access by Principal Denied");
> We've not had issues with this test case for months. However yesterday we decided to
change the method signature of getX to support an optional list of int flags than control
the object initialization (which related records to get from the DB):
> public X getX(String y, int... flags)
> After this the test shown above fails. An object is returned back and no exception is
raised. The security system still works; we can check the user manually using the SessionContext
resource. But the container authorization does not trigger.
> We have also confirmed that the security system fails if a "proper array" is used instead
of the "vararg array". We have not had a chance to test whether using a XML-based configuration
solves the issue.
> Since the security system is accessible through the SessionContext we work around this
issue by manually checking the user role from our code.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message