2 Replies Latest reply on Jun 22, 2012 3:51 AM by i10

Missing EJBAccessException for protected EJB method call

i10 Jun 20, 2012 6:31 AM

I try to call a protected ejb method from a servlet and do not get the expected EJBAccessException when calling the getVIPBonus()

method with a user without the "VIP" role.

The servlet:

@ServletSecurity(@HttpConstraint(rolesAllowed = {"Customer", "VIP"}))

public class LoginServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

@EJB

MoneyExchange mex;

protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

mex.getVIPBonus();

...

}

The ejb:

@Stateless

@DeclareRoles("VIP")

@RolesAllowed("Customer")

@SecurityDomain("other")

public class MoneyExchangeBean implements MoneyExchange {

@Resource

SessionContext ctx;

/**

* The VIP bonus in percent, used for calculating better rates.

private int vipBonus = 5;

/**

* The exchange rates for 1 CHF.

private Map<CurrencyType, Double> rates = new EnumMap<CurrencyType, Double>(

CurrencyType.class);

// --------------------------------------------------------------------------------------------

// methods

// --------------------------------------------------------------------------------------------

@SuppressWarnings("unused")

@PostConstruct

private void init() {

// exchange rates for 1 CHF

this.rates.put(CurrencyType.CHF, 1.0);

this.rates.put(CurrencyType.EUR, 0.77);

this.rates.put(CurrencyType.USD, 1.03);

}

public double getRate(CurrencyType currency) {

// get principal name

System.out.println("get rate " + currency + " for user "

+ ctx.getCallerPrincipal().getName());

// get rate

double rate = this.rates.get(currency);

// calculate bonus rate for VIP's

if (ctx.isCallerInRole("VIP")) {

System.out.println("change rate with VIP bonus");

int percent = getVIPBonus();

rate = rate * (1 + (percent / 100.0));

}

return rate;

}

@RolesAllowed("VIP")

public int getVIPBonus() {

return vipBonus;

}

} // end of class

1. Re: Missing EJBAccessException for protected EJB method call

jaikiran Jun 22, 2012 2:07 AM (in response to i10)

Are you sure the call to the bean is missing the VIP role? How do you authenticate and authorize to the servlet where this invocation is happening?
Actions
2. Re: Missing EJBAccessException for protected EJB method call

i10 Jun 22, 2012 3:51 AM (in response to jaikiran)
I'm using the predefined security domain other and added the following user's with the JBOSS_HOME/add_user.bat Scritpt to the ApplicationRealm:
User tom with role Customer
User sam with roles Customer,VIP

standalone-full.xml snippet:
<subsystem xmlns="urn:jboss:domain:security:1.1">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmUsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                            <module-option name="realm" value="ApplicationRealm"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="unauthenticatedIdentity" value="guest"/>
                        </login-module>
Actions

Go to original post