3 Replies Latest reply on Sep 16, 2011 3:38 AM by thescientist

SecurityException caused by ejb-ref?

thescientist May 22, 2011 5:14 AM

Hello

another problem while migrating from 4.2.3 to AS 6:
Some of my Session Beans are working some not. Those not working throw a Security Exception (Denied: caller...) and unlike the working ones have some ejb-refs defined.

Dunno where to look for the error. How does the login configuration change at local refs?

Please look at the log, that explains more what I mean than my words here.

Thanks for any advice.

server.log.zip 1.7 KB
ejb-jar.xml 2.0 KB

1. Re: SecurityException caused by ejb-ref?

thescientist May 25, 2011 4:57 AM (in response to thescientist)

O.k., found out, that if I add a "local" role to the user, I'm able to use all beans. So if a bean looks up another bean, the second one needs the role local.
But adding the local role to all my users has the result, that everybody is allowed to do everything.

So whats wrong with my configuration? Probably can't see the easy solution.

Please give me some advice.

Stefan

Edit: Read again the Security guide, and we have configured the "local" role in <run-as> to prevent users to use internal EJBs, exactly as mentioned in the guide. Don't understand why this exception is thrown at an invocation of a referenced EJB. Why is there a test of the principals, not just the role, which is set by the run-as tag?
Any Idea?
Actions
2. Re: SecurityException caused by ejb-ref?

wolfgangknauf May 26, 2011 11:15 AM (in response to thescientist)

Hi,

you might better ask this in the PicketBox forum (which is about security): http://community.jboss.org/en/picketbox?view=discussions&start=0

Best regards

Wolfgang
Actions
3. Re: SecurityException caused by ejb-ref?

thescientist Sep 16, 2011 3:38 AM (in response to thescientist)

Just for completion: Here I found the answer, finally.
Actions

Go to original post