8 Replies Latest reply on Oct 24, 2005 9:45 AM by vinay_ven

    does ejbCreate() require a permission

    vinay_ven
    vinay_ven Oct 24, 2005 5:19 AM

      Hi,

      i've written a stateless bean and i've given permissions to some of the methods in the bean.
      i've written a customloginmodule that authenticates the user and the getRoleSets method retrieves roles from the database.

      the login happens fine but as soon as i invoke any of the ejb methods, i get an error stating that no permissions on the create method

      java.lang.SecurityException: Insufficient method permissions, principal=mackju, ejbName=ResultsSes, method=create
      interface=HOME, requiredRoles=[], principalRoles=[WebsiteUser, ResultWriter, ResultReader]


      in the ejb-jar.xml if i add

      <method-permission >
      <role-name>ResultReader</role-name>

      <ejb-name>ResultsSes</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>create</method-name>

      </method-permission>

      everything works fine.

      this effectively means that i need to provide permissions for all the callback methods as well which is not appropriate

      can anyone tell me if i'm missing anything in any of the config files?

      thanks Vinay

      • 5165 Views
      • Tags:
        • 1. Re: does ejbCreate() require a permission
          darranl
          darranl Oct 24, 2005 6:49 AM (in response to vinay_ven)

          Yes you are missing the point, you are confusing the relationship between the create method on the home interface and the ejbCreate method of the bean implementation.


            • Actions
          • 2. Re: does ejbCreate() require a permission
            vinay_ven
            vinay_ven Oct 24, 2005 8:12 AM (in response to vinay_ven)

            Hi,

            but there is no point in giving access rights to the call back methods right.

            why should there be any permissions allotted to the callback methods.

            ideally one would want to permission the business methods.

            i would be grateful if you can please clarify.

            Thanks
            vinay

              • Actions
            • 3. Re: does ejbCreate() require a permission
              darranl
              darranl Oct 24, 2005 8:22 AM (in response to vinay_ven)

              But the message is not about securing the callback methods, the callback methods are ejbCreate and ejbRemove and when these are called is not directly related to the calls from the client.

              The method you are securing is the create method of the home interface and the reason for securing this is to say which users are allowed to get access to the components remote interface.

                • Actions
              • 4. Re: does ejbCreate() require a permission
                vinay_ven
                vinay_ven Oct 24, 2005 8:32 AM (in response to vinay_ven)

                Hi,

                thanks a lot for your help.

                but once you have given permissions to the business methods, is there any point in controlling access to remote object creation?.

                let us assume that a user who does not have access to any of the business method logs in , in that case the container would anyways throw a security exception.

                I think we need to put in unecessary code and this would also mean that if i have configured 20 roles for the bean for 20 different business methods, all of them will have an entry for the create method will is really a pain.

                please correct me if i'm wrong.

                thanks a lot agian for your help

                lookiing for to your reply

                Thanks
                Vinay

                  • Actions
                • 5. Re: does ejbCreate() require a permission
                  darranl
                  darranl Oct 24, 2005 8:46 AM (in response to vinay_ven)

                  Ok in that scenario instead of specifying the roles in the

                  <method-permission>
                  element you can add an element 
                  <unchecked/>
                  to disable the checking of the roles.

                    • Actions
                  • 6. Re: does ejbCreate() require a permission
                    vinay_ven
                    vinay_ven Oct 24, 2005 9:00 AM (in response to vinay_ven)

                    Hi,

                    sorry i've not used the unchecked option. but can it be applied at a method level or at a class level?

                    if it can be applied at the class level, then it would be difficult because i need to permission some business methods.

                    looking forward to your reply

                    Thanks
                    Vinay

                      • Actions
                    • 7. Re: does ejbCreate() require a permission
                      darranl
                      darranl Oct 24, 2005 9:10 AM (in response to vinay_ven)

                      It can be applied at method level, basically you would define a method-permission element that contains method elements that describe the method you do not want security checks for - within this method-permission you would put the unchecked element instead of adding the role-name elements.

                      <method-permission>
 <unchecked/>
 <method>
 <ejb-name>EmployeeService</ejb-name>
 <method-name>*</method-name>
 </method>
</method-permission>


                      The remaining methods can be secured in the same way that you are currently securing them.

                        • Actions
                      • 8. Re: does ejbCreate() require a permission
                        vinay_ven
                        vinay_ven Oct 24, 2005 9:45 AM (in response to vinay_ven)

                        thanks a lot for your help.

                          • Actions