2 Replies Latest reply on Nov 2, 2001 3:10 AM by c.f.ong

    Works only for the first EJB but not the second one

    c.f.ong Newbie

      Hi

      I've been doing some testing on implementing security for a simple project and encountered the following situation:

      Using either a servlet or standalone client, I was able to invoke ejb1->method_A() without any problem. However, when I tried to invoke ejb1->method_B(), I've got a Security Exception, i.e. "username=null" and so on. In ejb1->method_B()is a call to invoke ejb2->method_C().

      The ejb-jar.xml is as follows:

      <assembly-descriptor>
      <security-role>
      <role-name>Guest</role-name>
      </security-role>
      <method-permission>
      <role-name>Guest</role-name>

      <ejb-name>ejb1</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <method-permission>
      <role-name>Guest</role-name>

      <ejb-name>ejb2</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>

      The Security Exception goes away only if I use the following method permission instead for ejb2, i.e.
      <method-permission>


      <ejb-name>ejb2</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      Is the above situation the expected behaviour or a bug?

      Many thanks to all who can shed some light!

      Regards
      Ong CF

        • 1. Re: Works only for the first EJB but not the second one
          J. Wolfgang Kaltz Novice

          > I've got a Security Exception, i.e. "username=null"
          > and so on. In ejb1->method_B()is a call to invoke
          > ejb2->method_C().

          I suppose your method_C in ejb2 is also in a security environment.
          So, the way I see it, your ejb1 is a client of ejb2. You have authenticated for calls from a client to ejb1, but not for ejb1 being a client of ejb2, so you would need to perform the client side login within ejb1 before it accesses ejb2.

          • 2. Re: Works only for the first EJB but not the second one
            c.f.ong Newbie

            Hi

            Many thanks for your reply.

            I've tried out your suggestion and encountered the following cases:

            1. If ejb1 is a stateless session bean, then no need to perform a client side login in order to invoke ejb2->method_C()successfully.

            2. However, if ejb1 is a message driven bean, then even with a client side login (feeding in the correct username and password) I would still get a Security Exception (principal=null) on invoking the ejb2->method_C() call in ejb1.

            Does anyone know what may be the cause of the Security Exception due to the message driven bean? Any possible solution or is this a bug?

            Many thanks.

            Regards
            Ong CF