geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: security problem
Date Fri, 13 Mar 2009 16:40:16 GMT
I think this is most likely a bug.  Could you please open a jira about  
this?

If you are inspired to experiment further.... I wonder if

-- changing the method signature to the old-fashioned getX(String y,  
int[] flags) works
-- using an xml security constraint (with or without the method args  
specified) works

Many thanks for finding this!
david jencks

On Mar 13, 2009, at 5:59 AM, Trygve Hardersen wrote:

> Hi
>
> I'm developing an application using Geronimo 2.2-SNAPSHOT. The whole  
> system is rather complex but I'll try to explain only what's needed  
> in this context.
>
> I have a stateless session bean called SSB, with a method called getX:
>
> SSB#getX(java.lang.String)
>
> Our security model has 5 roles; admin, anonymous, customer, partner  
> and system. Users can only be in one role. SSB is accessible for all  
> roles, but the getX does not allow anonymous access. So I have these  
> annotations:
>
> @DeclareRoles({
>     Constants.ROLE_ADMIN,
>     Constants.ROLE_ANONYMOUS,
>     Constants.ROLE_CUSTOMER,
>     Constants.ROLE_PARTNER,
>     Constants.ROLE_SYSTEM})
> public class SSB ....
>
> @RolesAllowed({
>     Constants.ROLE_ADMIN,
>     Constants.ROLE_CUSTOMER,
>     Constants.ROLE_PARTNER,
>     Constants.ROLE_SYSTEM})
> public X getX(String y)
>
> In my testsuite I have a simple testcase to verify that access by  
> users in the anonymous role (unauthenticated web users) is not  
> permitted for the getX method:
>
> SSB anonymous_service = LOG_IN_AS_ANONYMOUS_USER....
> X obj = null;
> EJBAccessException eae = null;
> try{
>         obj = anonymous_service.getX("test");
> }catch (EJBAccessException e) {
>           eae = e;
> }
> Assert.assertNull(obj);
> Assert.assertNotNull(eae);
> Assert.assertEquals(eae.getMessage(), "Unauthorized Access by  
> Principal Denied");
>
> I've not had any problems with this test for months. However  
> yesterday I decided to change the method signature of getX to  
> support an optional list of int flags than control the object  
> initialization (which related records to get from the DB):
>
> public X getX(String y, int... flags)
>
> After this the test shown above fails. I get an object back and no  
> exception. The security system still works; I can check the user  
> manually using the SessionContext resource. But the container  
> authorization does not trigger.
>
> This seems like a bug in the Geronimo security system to me. I'm  
> guessing that the method is not recognized when using the vararg  
> (int...) signature.
>
> Any idea what to do about this? Currently I work around the issue by  
> manually checking the role name using  
> javax.ejb.EJBContext#isCallerInRole(java.lang.String).
>
> Thanks for your help!
>
> Trygve


Mime
View raw message