3 Replies Latest reply on Feb 7, 2012 10:40 PM by lpham1

    Test Secure EJB with Arquillian

    lpham1
    lpham1 Nov 9, 2011 7:43 PM

      Hi All,

       

      I am using JBoss 6.1 and I got a secure EJB having methods annotated with @RolesAllowed("Admin"). I am trying to test this method with Arquillian.

       

      I have done the EJB log in successfully in the @Before of the test, however, it failed to invoke the method. From the TRACE log, I can see that the principal and roles are correct (in this case, 'myuser' and 'Admin'), but the secure EJB's method info is wrong (requiredRoles are empty).

       

          TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

          TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] method=public au.com.domain.DTOObject au.com.ejb.SecureServiceBean.save(au.com.domain.DTOObject), interface=Local, requiredRoles=Roles()

          TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] Exception:Insufficient method permissions, principal=myuser, ejbName=SecureServiceBean, method=save, interface=Local, requiredRoles=Roles(), principalRoles=Roles(Admin,)

       

      I was able to successfully invoke a method in the same EJB with @PermitAll.

       

      I have looked for Arquillian documentation around secure EJB, but couldn't find any.

       

      Many thanks for your help.

       

      -- Linh

        • 1. Re: Test Secure EJB with Arquillian
          jaikiran
          jaikiran Nov 11, 2011 5:19 AM (in response to lpham1)

          Can you please post the exact bean code? Also, do you have any ejb-jar.xml file?

            • Actions
          • 2. Re: Test Secure EJB with Arquillian
            lpham1
            lpham1 Nov 15, 2011 7:44 PM (in response to jaikiran)

            Hi Jaikiran,

             

            Code is as follow:

             

            @Stateless

            @SecurityDomain("my-security-domain")

            @DeclareRoles({ "Admin", "Guest" })

             

            //By default, allow no one access, we'll enable access at the method level

            @RolesAllowed({})

            public class SecureServiceBean implements ServiceBeanLocal

            {

                  //instance variables omitted

              

                @RolesAllowed({  "Admin" })

                @TransactionAttribute(TransactionAttributeType.REQUIRED)

                @Override

                public MyDTO save(MyDTO dtoObject)

                {

                       //omitted

                       //invocation to this method failed in the Integration Test ("Insufficient method permission")

                }

             

                @PermitAll @Override

                public MyDTO load(long id)

                {

                      //invocation to this method works in the Integration Test

                }

            }

             

            I don't have ejb-jar.xml because I used annotations (please see the above code).

            Thanks for your help.

             

            -- Linh

              • Actions
            • 3. Re: Test Secure EJB with Arquillian
              lpham1
              lpham1 Feb 7, 2012 10:40 PM (in response to lpham1)

              I have found the <possible> solution and documented here:

              http://stackoverflow.com/questions/8073643/use-arquillian-to-test-secure-ejb/9187517

               

              Thanks.

              -- Linh

                • Actions