geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trygve Hardersen <try...@jotta.no>
Subject Re: security problem
Date Fri, 13 Mar 2009 17:40:49 GMT
I filed GERONIMO-4587 for this. Strangely it does not seem to be caused only
by vararg arrays, normal arrays also fail for me.

I've not had a chance to test with XML security configuration, nor on 2.1.
But it should be easy to write a test case for this.

Many thanks for your help!

Trygve

On Fri, Mar 13, 2009 at 5:40 PM, David Jencks <david_jencks@yahoo.com>wrote:

> I think this is most likely a bug.  Could you please open a jira about
> this?
>
> If you are inspired to experiment further.... I wonder if
>
> -- changing the method signature to the old-fashioned getX(String y, int[]
> flags) works
> -- using an xml security constraint (with or without the method args
> specified) works
>
> Many thanks for finding this!
> david jencks
>
>
> On Mar 13, 2009, at 5:59 AM, Trygve Hardersen wrote:
>
>  Hi
>>
>> I'm developing an application using Geronimo 2.2-SNAPSHOT. The whole
>> system is rather complex but I'll try to explain only what's needed in this
>> context.
>>
>> I have a stateless session bean called SSB, with a method called getX:
>>
>> SSB#getX(java.lang.String)
>>
>> Our security model has 5 roles; admin, anonymous, customer, partner and
>> system. Users can only be in one role. SSB is accessible for all roles, but
>> the getX does not allow anonymous access. So I have these annotations:
>>
>> @DeclareRoles({
>>    Constants.ROLE_ADMIN,
>>    Constants.ROLE_ANONYMOUS,
>>    Constants.ROLE_CUSTOMER,
>>    Constants.ROLE_PARTNER,
>>    Constants.ROLE_SYSTEM})
>> public class SSB ....
>>
>> @RolesAllowed({
>>    Constants.ROLE_ADMIN,
>>    Constants.ROLE_CUSTOMER,
>>    Constants.ROLE_PARTNER,
>>    Constants.ROLE_SYSTEM})
>> public X getX(String y)
>>
>> In my testsuite I have a simple testcase to verify that access by users in
>> the anonymous role (unauthenticated web users) is not permitted for the getX
>> method:
>>
>> SSB anonymous_service = LOG_IN_AS_ANONYMOUS_USER....
>> X obj = null;
>> EJBAccessException eae = null;
>> try{
>>        obj = anonymous_service.getX("test");
>> }catch (EJBAccessException e) {
>>          eae = e;
>> }
>> Assert.assertNull(obj);
>> Assert.assertNotNull(eae);
>> Assert.assertEquals(eae.getMessage(), "Unauthorized Access by Principal
>> Denied");
>>
>> I've not had any problems with this test for months. However yesterday I
>> decided to change the method signature of getX to support an optional list
>> of int flags than control the object initialization (which related records
>> to get from the DB):
>>
>> public X getX(String y, int... flags)
>>
>> After this the test shown above fails. I get an object back and no
>> exception. The security system still works; I can check the user manually
>> using the SessionContext resource. But the container authorization does not
>> trigger.
>>
>> This seems like a bug in the Geronimo security system to me. I'm guessing
>> that the method is not recognized when using the vararg (int...) signature.
>>
>> Any idea what to do about this? Currently I work around the issue by
>> manually checking the role name using
>> javax.ejb.EJBContext#isCallerInRole(java.lang.String).
>>
>> Thanks for your help!
>>
>> Trygve
>>
>
>

Mime
View raw message