-
1. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
jaikiran Nov 20, 2011 8:18 AM (in response to henk53)Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.
-
2. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
henk53 Nov 20, 2011 9:06 AM (in response to jaikiran)jaikiran pai wrote:
Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.
I see. Thanks!
I wonder, is this spec compliant? I mean, obviously the @org.jboss.ejb3.annotation.SecurityDomain annotation is JBoss specific, but does the spec allow this behavior, or is there some unclarity here? I've yet to check the actual spec, but neither the books Enterprise JavaBeans (O'Reailly) or EJB3 in action (manning) mention that there is anything container specific needed to make @RolesAllowed work.
-
3. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
henk53 Nov 20, 2011 9:20 AM (in response to jaikiran)jaikiran pai wrote:
Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.
p.s.
This one doesn't seem to be put on the buildpath in Eclipse by JBoss Tools. There's only org.jboss.security.annotation.SecurityDomain there. The JBoss AS 6.x runtime does expose org.jboss.ejb3.annotation.SecurityDomain.
-
4. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
henk53 Nov 20, 2011 9:55 AM (in response to henk53)To followup, with the annotation mentioned by jaikiran it does work.
For those also stuck with this and having found this via search, what I did was the following:
Create a dynamic web project in Eclipse called 'rolesAllowedTest', target JBoss AS 6.x runtime, create a 'com.example' package and add the following two files:
RolesTestEJB.java
package com.example; import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; import javax.ejb.Stateless; import org.jboss.ejb3.annotation.SecurityDomain; @Stateless @DeclareRoles({"FOO"}) @SecurityDomain("something") public class RolesTestEJB { @RolesAllowed({"FOO"}) public void securedMethod() { System.out.println("In secured method"); } }
RolesTestServlet.java
package com.example; import java.io.IOException; import javax.ejb.EJB; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; @WebServlet(urlPatterns="/test") public class RolesTestServlet extends HttpServlet { private static final long serialVersionUID = 1L; @EJB private RolesTestEJB rolesTestEJB; @Override public void service(ServletRequest request, ServletResponse response) throws ServletException, IOException { rolesTestEJB.securedMethod(); } }
Nothing else was done, no web.xml or other xml file was added. Deploy this to the server, and browse to http://localhost:8080/rolesAllowedTest/test
JBoss AS 6.10 will respond with:
javax.ejb.EJBAccessException: Invalid User
JBoss AS 7.02 will respond with:
javax.ejb.EJBAccessException: Invocation on method: public void com.example.RolesTestEJB.securedMethod() of bean: RolesTestEJB is not allowed
Glassfish 3.1.1 will respond with:
javax.ejb.EJBAccessException Caused by: javax.ejb.AccessLocalException: Client not authorized for this invocation.
The earlier question does still stand, is it spec compliant to require this extra annotation?
-
5. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
henk53 Nov 20, 2011 4:54 PM (in response to henk53)I discovered one other oddity. On JBoss AS 6.10, in an EAR with only an EJB module, I can add a META-INF/jboss.xml that defines the security domain as follows:
META-INF/jboss.xml
<?xml version="1.0" ?> <jboss xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_5_0.xsd" version="5.0"> <security-domain>something</security-domain> </jboss>
If the secured EJB is injected into an MDB, it can call the secured methods without having the
@SecurityDomain
annotation.However, if the application consists of only a web module (like the example being given in the previous post), then this trick does not seem to work. Neither does adding a WEB-INF/jboss-web.xml help, like:
WEB-INF/jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>something</security-domain> </jboss-web>
In case of the web module, I also created a web.xml with a security-constraint and security-role in it (this is often needed to 'activate' security, even if the constraint or roles aren't used).
Any idea why the .xml file works in the EJB module, but not in the web module for JBoss AS 6.10?
In AS 7 the trick doesn't work at all for the web module, since JBoss suddenly complains there's no realm:
[org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployment of "rolesAllowedTest.war" was rolled back with failure message {"Services with missing/unavailable dependencies" => ["jboss.web.deployment.default-host./rolesAllowedTest.realm missing [ jboss.security.security-domain.something ]"]}
So if the annotation is used, JBoss AS 7 doesn't need a realm to be defined somewhere else, but if an xml file is used it needs an extra definition somewhere?