-
1. Re: security declarations in ejb-jar.xml ignored?
daniell May 7, 2010 3:06 AM (in response to daniell)I just want to add, that the access is restricted correctly if I add the @RolesAllowed Annotation to the DAO bean. So basically the things are working - but not with the usage of the ejb-jar.xml.
-
2. Re: security declarations in ejb-jar.xml ignored?
daniell May 7, 2010 3:51 AM (in response to daniell)Ok - now I found out some interesting things:
The DAO object I want to protect extends another class.
- If I add some method name in the ejb-jar.xml file, the access to this method is restricted as expected. No matter if this method is defined in the DAO class itself or inherited from some base class.
- If I add the @RolesAllowed annotation to the DAO class, the access to every method (implemented and inherited ones) is restricted.
- If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!
I thought (and read in many books and articles) that @RolesAllowed on class level has the same meaning than using the * as method-name in the ejb-jar.xml, but obviously it has not. Is there something else I have to configure to get the desired behaviour (I don't want to use the annotations, but exclusively the xml-configuration)?
-
3. Re: security declarations in ejb-jar.xml ignored?
jaikiran May 8, 2010 2:31 AM (in response to daniell)Daniel Lechner wrote:
- If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!
Is that method from base class, exposed as a business interface method from the bean's business interface?
-
4. Re: security declarations in ejb-jar.xml ignored?
jaikiran May 8, 2010 2:33 AM (in response to daniell)Daniel Lechner wrote:
Hello!
I've a problem while setting EJB3 access restrictions in the ejb-jar.xml. I'm using JBoss 4.2.3 AS.
JBoss AS 4.2.3 wasn't fully EJB3 compliant. There have been numerous changes in AS-5.1.0. You might want to use JBoss AS 5.1.0 and apply our latest EJB3 plugin http://www.jboss.org/ejb3/ejb3plugin.html on it and then see if it works there.
-
5. Re: security declarations in ejb-jar.xml ignored?
daniell May 10, 2010 6:12 AM (in response to jaikiran)jaikiran pai schrieb:
Daniel Lechner wrote:
- If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!
Is that method from base class, exposed as a business interface method from the bean's business interface?
The business interface, which is annotated with @javax.ejb.Remote does not contain the mentioned methods itself, but inherits it from another interface. At the interfaces we have a similar hierarchie compared to that on the class side.
But from your remark on JBoss AS 4.2.3 I suppose, that this unexpected behaviour is because the used JBoss AS is not fully compliant to EJB3? So my question than: how did others, using JBoss AS 4.2.3 implement security features to their application?