4 Replies Latest reply on Mar 22, 2002 9:19 AM by rlentell

    Access To Methods Without Permissions

    rlentell

      We have developed a simple application with two roles. In the ejb-jar.xml we defined two roles default and FNS. The FNS role is allowed access to half of the EJB's; while, the default role is allowed access to the other EJB's.

      We are access the EJB's through a Java application. I would expect if the user is only assigned to the default role, an exception would be thrown when accessing ejb's only given permission to the FNS role. However, the user is allowed access to all ejb's methods when assigned to either role. I have included the applicable portion of the ejb-jar.xml.

      If anyone has any suggestions it would be of great help!

      <security-role>
      <role-name>FNS</role-name>
      </security-role>
      <security-role>
      <role-name>default</role-name>
      </security-role>

      <method-permission>

      <role-name>default</role-name>

      <ejb-name>UserSessionBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SessionManagerBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>UniqueIdentifierBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>UniqueIdentifierSessionBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission>

      <role-name>FNS</role-name>

      <ejb-name>CompanyBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>RoleBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>OperatorBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SystemMenuItemBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SystemMenuTypeBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>

        • 1. Re: Access To Methods Without Permissions
          annegret

          You must set a security-domain in jboss.xml to activate security.


          <security-domain>java:/jaas/mydomain</security-domain>
          <enterprise-beans>
          ...
          </enterprise-beans>


          You can find a detailed description how to setup security in the article

          http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html

          • 2. Re: Access To Methods Without Permissions
            rlentell

            Thanks for the response, Annegret! We have the security-domain set and are still seeing the problem. Let me see if I can clarify a little further.

            If we leave a few one of the two method-permissions out accesss is denied to these beans, as expected. However, with both method-permissions in the ejb-jar.xml. Access is allowed to all the beans by users in either role. This is where the problem lies. It appears JBoss is allowing not differentiate between the access one role should have versus the other. I checked that the proper roles were assigned in the bean and only one is set so they should not have access to the beans in which they do not have any permissions assigned, but as of now they do.

            Ryan

            • 3. Re: Access To Methods Without Permissions
              annegret

              Which version of jboss are You using ?
              We use jboss 2.4.3 and have method-permissions set:
              an admin-role has access to all beans
              a standard-role has full access to some beans, no access to a few other beans and access to special methods of a third group of beans
              This works fine for us.

              I can't see any error in Your configuration.
              Pure speculation and this should not influence anything but did You try to put the method-permission of role FNS above the method-permission of role default to have the same order as the secruity-roles itself are listed ?

              • 4. Re: Access To Methods Without Permissions
                rlentell

                Again thanks Annegret for the suggestion. I tried it same results. Access to all my methods. Anybody else have any suggestions?