4 Replies Latest reply on Sep 10, 2010 4:23 PM by anil.saldhana

Can EJB XACML Policy support method overload

dangvo Aug 16, 2010 6:53 PM

I have been experiementing with XACML authorization in particular EJBs and it seems to me that the Action's value is derived from the EJB's method call minus the argument signature.

From org.jboss.security.authorization.modules.ejb.EJBXACMLPolicyModuleDelegate.java

...

RequestContext requestCtx = util.createXACMLRequest(this.ejbName, this.ejbMethod.getName(),this.ejbPrincipal, callerRoles);

...

My problem is that if my EJB has 2 overload methods for example 'bar(Integer)' and 'bar(String)', I cannot distinguish them from the policy as the action value are both 'bar'. Can anyone confirm or dismiss this observation?

1. Re: Can EJB XACML Policy support method overload

anil.saldhana Aug 18, 2010 1:56 PM (in response to dangvo)

I dont think we considered ejb method overload. Why not rename your methods?
Actions
2. Re: Can EJB XACML Policy support method overload

dangvo Aug 18, 2010 2:17 PM (in response to anil.saldhana)

Hi Anil,

Of course the methods can always be renamed. But what I'm alluding to is if the methods' arguments are taken into account maybe I can also check their values for authorization. Something likes user A can only call bar(int x) where x < 50. Is it even possible?

Thanks
Actions
3. Re: Can EJB XACML Policy support method overload

anil.saldhana Aug 19, 2010 11:16 AM (in response to dangvo)

Long story.

The EJB XACML namespaces are not standardized. So I had low expectations of it becoming popular. Anyway, the ideal strategy would be for the ejb/ee namespaces to be standardized.

We are definitely going to fix this with a https://jira.jboss.org/browse/SECURITY-519 bug.

Workaround:
Implement a XACML Authorization Module delegate and implement it yourself for the time being.
Actions
4. Re: Can EJB XACML Policy support method overload

anil.saldhana Sep 10, 2010 4:23 PM (in response to anil.saldhana)

http://community.jboss.org/wiki/JBossApplicationServerXACMLwithEJBOverloadedMethods

Solved.
Actions

Go to original post