4 Replies Latest reply on Apr 5, 2005 2:39 PM by gozilla

method-permission problem

morenito9000 Apr 4, 2005 5:56 AM

Hi all,
in my application I have a SFSB (Modify Bean) and 3 Roles (Ips, Aci, Prg).
Ips and Aci Roles can call all bean's methods.
Prg Role can call all bean's methods except possoInserire().

In ejb-jar.xml I have:

<method-permission >
 <description></description>
 <role-name>Ips</role-name>
 <role-name>Aci</role-name>
 <role-name>Prg</role-name>
 <method >
 <description></description>
 <ejb-name>Modify</ejb-name>
 <method-name>*</method-name>
 </method>
</method-permission>

<method-permission >
 <description></description>
 <role-name>Ips</role-name>
 <role-name>Aci</role-name>
 <method >
 <description></description>
 <ejb-name>Modify</ejb-name>
 <method-intf>Remote</method-intf>
 <method-name>possoInserire</method-name>
 <method-params>
 </method-params>
 </method>
</method-permission>

Even if I run as Prg role I can call possoInserire() method.

In server.log JBoss says that the method is callable by
all the 3 Roles ???
Why ?
Method-permission infos must be replied in jboss.xml file ?

Any help is very appreciated.
Many thanks in advance
Moreno

1. Re: method-permission problem

darranl Apr 4, 2005 6:04 AM (in response to morenito9000)
Because that is how you have configured it: -

<method-permission > <description></description> <role-name>Ips</role-name> <role-name>Aci</role-name> <role-name>Prg</role-name> <method > <description></description> <ejb-name>Modify</ejb-name> <method-name>*</method-name> </method> </method-permission>

The three roles are listed and can call any method.

You need to configure it so that 'Ips' and 'Aci' are configured to call all methods.

Then for 'Prg' you will need to add a method-permission that lists the callable methods.
Actions
2. Re: method-permission problem

morenito9000 Apr 5, 2005 5:31 AM (in response to morenito9000)
Thank you Darranl,
I followed your suggest and now everything is Ok
except one thing.
When Prg Role calls remove() on session bean
I have a SecurityException generated by JBoss.
I'm using Xdoclet to write my session bean's class
(it automatically generates ejb-jar.xml file and
bean's interfaces) and I don't find in ejb-jar.xml file
an authorization for role Prg to call remove() method.
I put this code (by hand) inside ejb-jar.xml file:

<method-permission > <description></description> <role-name>Prg</role-name> <role-name>Lis</role-name> <method > <description></description> <ejb-name>Modify</ejb-name> <method-intf>Home</method-intf> <method-name>remove</method-name> <method-params> </method-params> </method> </method-permission>

and restarted JBoss, but the problem is still present.
JBoss says that remove() method is callable only
by Ips and Aci Roles.

Thank You
Moreno
Actions
3. Re: method-permission problem

morenito9000 Apr 5, 2005 7:23 AM (in response to morenito9000)
In ejb-jar.xml file I made a mistake.
The correct <method-permission> section is:

<method-permission > <description></description> <role-name>Prg</role-name> <role-name>Lis</role-name> <method > <description></description> <ejb-name>Modify</ejb-name> <method-intf>Remote</method-intf> <method-name>remove</method-name> </method> </method-permission>

<method-intf> must be Remote and not Home (I need
to use remove() method of remote interface, the method
without arguments).

Last problem is : which Xdoclet tags I need to use
to generate the <method-permission> section above
described ??

Many thanks
Moreno
Actions
4. Re: method-permission problem

gozilla Apr 5, 2005 2:39 PM (in response to morenito9000)

Hi morenito9000

Something you could also have tried is to specify the wildcard permission after the other one. Order often made a difference in descriptors.

Gozilla
Actions

Go to original post