2 Replies Latest reply on Jun 22, 2012 3:51 AM by i10

    Missing EJBAccessException for protected EJB method call

    i10 Newbie

      I try to call a protected ejb method from a servlet and do not get the expected EJBAccessException when calling the getVIPBonus()

      method with a user without the "VIP" role.

       

      The servlet:

      @ServletSecurity(@HttpConstraint(rolesAllowed = {"Customer", "VIP"}))

      public class LoginServlet extends HttpServlet {

       

          private static final long serialVersionUID = 1L;

       

          @EJB

          MoneyExchange mex;

       

         

          protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

       

              mex.getVIPBonus();

                ...

           }

      }

       

       

      The ejb:

      @Stateless

      @DeclareRoles("VIP")

      @RolesAllowed("Customer")

      @SecurityDomain("other")

      public class MoneyExchangeBean implements MoneyExchange {

       

          @Resource

          SessionContext ctx;

       

          /**

           * The VIP bonus in percent, used for calculating better rates.

           */

          private int vipBonus = 5;

       

          /**

           * The exchange rates for 1 CHF.

           */

          private Map<CurrencyType, Double> rates = new EnumMap<CurrencyType, Double>(

                  CurrencyType.class);

       

          // --------------------------------------------------------------------------------------------

          // methods

          // --------------------------------------------------------------------------------------------

       

          @SuppressWarnings("unused")

          @PostConstruct

          private void init() {

              // exchange rates for 1 CHF

              this.rates.put(CurrencyType.CHF, 1.0);

              this.rates.put(CurrencyType.EUR, 0.77);

              this.rates.put(CurrencyType.USD, 1.03);

          }

       

          public double getRate(CurrencyType currency) {

       

              // get principal name

              System.out.println("get rate " + currency + " for user "

                      + ctx.getCallerPrincipal().getName());

       

              // get rate

              double rate = this.rates.get(currency);

       

              // calculate bonus rate for VIP's

              if (ctx.isCallerInRole("VIP")) {

                  System.out.println("change rate with VIP bonus");

                  int percent = getVIPBonus();

                  rate = rate * (1 + (percent / 100.0));

              }

       

              return rate;

          }

       

          @RolesAllowed("VIP")

          public int getVIPBonus() {

              return vipBonus;

          }

       

      } // end of class

        • 1. Re: Missing EJBAccessException for protected EJB method call
          jaikiran pai Master

          Are you sure the call to the bean is missing the VIP role? How do you authenticate and authorize to the servlet where this invocation is happening?

          • 2. Re: Missing EJBAccessException for protected EJB method call
            i10 Newbie

            I'm using the predefined security domain other and added the following user's with the JBOSS_HOME/add_user.bat Scritpt to the ApplicationRealm:

            • User tom with role Customer
            • User sam with roles Customer,VIP

             

            standalone-full.xml snippet:

            <subsystem xmlns="urn:jboss:domain:security:1.1">

                        <security-domains>

                            <security-domain name="other" cache-type="default">

                                <authentication>

                                    <login-module code="Remoting" flag="optional">

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                    <login-module code="RealmUsersRoles" flag="required">

                                        <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                                        <module-option name="realm" value="ApplicationRealm"/>

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                        <module-option name="unauthenticatedIdentity" value="guest"/>

                                    </login-module>