method-permission being ignored

spiperoglou Jul 10, 2007 1:20 PM

JBoss 4.0.5GA - EJB 2.1

I'm trying to implement authentication for my EJBs. Before I even start with LoginModules, CallbackHandlers etc., the first thing I did was amend my ejb-jar.xml to require a role ("SomeUser") when accessing methods of my EJB ("TemplateManager"). Without changing anything on the client, I ran it again expecting to see authentication errors since there is no authentication, but instead the client ran fine, calling methods on the bean without any authentication. In other words, the EJB is still completely unsecured.

<security-role>
 <role-name>SomeUser</role-name>
</security-role>

<method-permission>
 <role-name>SomeUser</role-name>
 <method>
 <ejb-name>TemplateManager</ejb-name>
 <method-name>*</method-name>
 </method>
</method-permission>

In my ejb methods, I do:

LOG.debug("Principal: "+sessionContext.getCallerPrincipal());
LOG.debug("isCallerInRole: "+sessionContext.isCallerInRole("SomeUser"));

which produces:

17:57:19,707 DEBUG [TemplateManagerBean] Principal: anonymous
17:57:19,707 DEBUG [TemplateManagerBean] isCallerInRole: false

What's wrong? Why is JBoss ignoring the method-permission stuff in ejb-jar.xml?

1. Re: method-permission being ignored

dimitris Jul 11, 2007 4:04 AM (in response to spiperoglou)

You most probably need to define a security domain in the jboss specific descriptor.
Actions
2. Re: method-permission being ignored

spiperoglou Jul 12, 2007 7:14 AM (in response to spiperoglou)

Thanks, that did the trick
Actions

Go to original post