web access possible on EJB excluded methods
konijn Apr 13, 2002 4:57 PMHi there,
I am trying to work out how the security works.
I created a servlet helloServlet which accesses a method of the EJB HelloWorld. After logging in via the web with a userrole Customer I can still access the EJB via the Servlet, while I have excluded every method of the EJB.
I would expect that I could not access the EJB. What am I doing wrong. Or is my setup not correct.
I tried with the packages JBoss-2.4.4_Tomcat-3.2.3 and
JBoss-2.4.4_Tomcat-4.0.1. Neither of them worked.
Any help?
Erik
ejb-jar.xml
-----------
<ejb-jar>
<enterprise-beans>
<display-name>HelloWorld</display-name>
<ejb-name>HelloWorld</ejb-name>
securehelloworld.HelloWorldHome
securehelloworld.HelloWorld
<ejb-class>securehelloworld.HelloWorldBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>Customer</role-name>
</security-role>
<security-role>
<role-name>Erik</role-name>
</security-role>
<container-transaction>
<ejb-name>HelloWorld</ejb-name>
<method-name>*</method-name>
<trans-attribute>Required</trans-attribute>
</container-transaction>
<exclude-list>
<ejb-name>HelloWorld</ejb-name>
<method-name>*</method-name>
</exclude-list>
</assembly-descriptor>
</ejb-jar>
--------
web.xml
--------
<web-app>
<servlet-name>helloServlet</servlet-name>
<servlet-class>securehelloworld.SecureHelloWorldServlet</servlet-class>
<servlet-name>webHello</servlet-name>
<jsp-file>/hello.jsp</jsp-file>
<servlet-mapping>
<servlet-name>helloServlet</servlet-name>
<url-pattern>/helloServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>webHello</servlet-name>
<url-pattern>/webHello</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>hello.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Customer, Erik</display-name>
<web-resource-collection>
<web-resource-name>Collection1</web-resource-name>
<url-pattern>/helloServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Erik</role-name>
<role-name>Customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Customer, Erik</display-name>
<web-resource-collection>
<web-resource-name>Collection1</web-resource-name>
<url-pattern>/webHello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Erik</role-name>
<role-name>Customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logon_failed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
Test
<role-name>Customer</role-name>
</security-role>
<security-role>
Test
<role-name>Erik</role-name>
</security-role>
<ejb-ref>
<ejb-ref-name>EJB/HelloWorld</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
securehelloworld.HelloWorldHome
securehelloworld.HelloWorld
</ejb-ref>
</web-app>