4 Replies Latest reply on May 7, 2002 2:57 PM by tcherel

problem with method-permission

annegret Jan 11, 2002 4:52 AM

Hi,

I have a problem with method-permission in jboss 2.4.3 which I can reproduce with the jaas-howto sample of the jboss docu.
To remember: in the sample the following method-permission is configured:

<assembly-descriptor>
<security-role>
<role-name>Echo</role-name>
</security-role>

<method-permission>
<role-name>Echo</role-name>

<ejb-name>StatelessSession</ejb-name>
<method-name>*</method-name>

<ejb-name>StatefulSession</ejb-name>
<method-name>*</method-name>

</method-permission>

<method-permission>
<role-name>Coder</role-name>

<ejb-name>StatefulSession</ejb-name>
<method-name>create</method-name>

<ejb-name>StatefulSession</ejb-name>
<method-name>remove</method-name>

<ejb-name>StatefulSession</ejb-name>
<method-name>noop</method-name>

</method-permission>
</assembly-descriptor>

Users with role Coder can access the StatefulSession bean and call method 'noop' but are not allowed to call the (existing) method 'echo'.

From client point of view I would expect the following behaviour for users with role Coder:
create StatefulSession => ok
call method noop => ok
call method echo => SecurityException
call method noop => ok
remove StatefulSession => ok

But the following behavior happens:
create StatefulSession => ok
call method noop => ok
call method echo => SecurityException
call method noop => TRANSACTION ROLLBACK EXCEPTION:Could not activate; nested exception is: java.io.FileNotFoundException: ...\sessions\StatefulSession\1010741052346.ser

I think this is because the container discards the bean after the SecurityException. Is that right ?
What can I do to get the expected behaviour ?

Any help would be appreciated

1. Re: problem with method-permission

rsolod Jan 24, 2002 8:23 AM (in response to annegret)

I think you need to add
<security-role>
<role-name>Coder</role-name>
</security-role>
into <assembly-descriptor> too.
Actions
2. Re: problem with method-permission

tcherel May 5, 2002 10:46 PM (in response to annegret)

Did you find the way to solve this issue?
I am experiencing exactly the same one with JBoss 2.4.4

Thanks.
Actions
3. Re: problem with method-permission

tcherel May 6, 2002 2:43 PM (in response to annegret)

I should probably mention that there is no problem at all if the session bean is deployed as a stateless session bean. But if it is deployes as a stateful one, then the exception described in the initial email of this thread is occuring.
Anybody has any ideas why? Am I missing something in the EJB spec or JBoss documentation saying that after a security excpetion, the stateful bean are gone/discarded?
Any help will be appreciated.

Thomas
Actions
4. Re: problem with method-permission

tcherel May 7, 2002 2:57 PM (in response to annegret)

Thanks to Annegret (the intial post of this thread), I got the answer to my question. There it is for anybody else interested:

The behavior you see is correct based on our interpretation of the
EJB spec. The SecurityException is treated as RuntimeException
thrown by the business method and the session is discarded. If
other servers treat this differently file a bug.

You cannot achieve the behavior you are looking for using a single
stateful session bean accessed by a client. You would need to
partition the work being done so that the restricted operation can
be isolated from the session state you want to save on failure. You
would need to add another stateless or stateful session bean for the
restricted operation and catch and deal with the SecurityException
thrown.

xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx
Actions

Go to original post