I'm trying to set up a security restriction on an EJB's methods, but I'm running into a couple of confusing problems.
The first problem is that my client is able to connect to the server and call the EJB methods freely, regardless of what kind of security I try to assign to the methods; for example:
<security-role>
<role-name>DataImporter</role-name>
</security-role>
<method-permission>
<role-name>DataImporter</role-name>
<ejb-name>DataServices</ejb-name>
<method-name>*</method-name>
</method-permission>
The second problem is that my client can connect to JBoss, get a reference to this EJB and call its methods without providing any authentication at all; or even if it provides completely bogus authentication:
Hashtable ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL, args[0]);
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
ht.put(Context.SECURITY_PRINCIPAL, "garbage");
ht.put(Context.SECURITY_CREDENTIALS, "moregarbage");
DataServicesHome home =
(DataServicesHome) (new InitialContext(ht)).lookup(DataServicesHome.JNDI_NAME);
dataServices = home.create();
dataServices.addOrUpdateCategory(null);
I don't understand why this code is allowed to even connect to JBoss at all, let alone execute a security-protected method. (It runs with no exception).
The third problem is that while I am aware that the role name I define in my ejb-jar.xml file is not the same as the role names defined in my roles.properties file, I have not found any information as to how to create an association between the two.
Thanks for your help.
I think you ahve not enabled security for the ejb-app. What does the jboss.xml say?