4 Replies Latest reply on May 7, 2002 2:57 PM by Thomas Cherel

    problem with method-permission

    Annegret Sternagel Newbie

      Hi,

      I have a problem with method-permission in jboss 2.4.3 which I can reproduce with the jaas-howto sample of the jboss docu.
      To remember: in the sample the following method-permission is configured:

      <assembly-descriptor>
      <security-role>
      <role-name>Echo</role-name>
      </security-role>

      <method-permission>
      <role-name>Echo</role-name>

      <ejb-name>StatelessSession</ejb-name>
      <method-name>*</method-name>


      <ejb-name>StatefulSession</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission>
      <role-name>Coder</role-name>

      <ejb-name>StatefulSession</ejb-name>
      <method-name>create</method-name>


      <ejb-name>StatefulSession</ejb-name>
      <method-name>remove</method-name>


      <ejb-name>StatefulSession</ejb-name>
      <method-name>noop</method-name>

      </method-permission>
      </assembly-descriptor>


      Users with role Coder can access the StatefulSession bean and call method 'noop' but are not allowed to call the (existing) method 'echo'.

      From client point of view I would expect the following behaviour for users with role Coder:
      create StatefulSession => ok
      call method noop => ok
      call method echo => SecurityException
      call method noop => ok
      remove StatefulSession => ok

      But the following behavior happens:
      create StatefulSession => ok
      call method noop => ok
      call method echo => SecurityException
      call method noop => TRANSACTION ROLLBACK EXCEPTION:Could not activate; nested exception is: java.io.FileNotFoundException: ...\sessions\StatefulSession\1010741052346.ser

      I think this is because the container discards the bean after the SecurityException. Is that right ?
      What can I do to get the expected behaviour ?

      Any help would be appreciated

        • 1. Re: problem with method-permission
          Roman Newbie

          I think you need to add
          <security-role>
          <role-name>Coder</role-name>
          </security-role>
          into <assembly-descriptor> too.

          • 2. Re: problem with method-permission
            Thomas Cherel Novice

            Did you find the way to solve this issue?
            I am experiencing exactly the same one with JBoss 2.4.4

            Thanks.

            • 3. Re: problem with method-permission
              Thomas Cherel Novice

              I should probably mention that there is no problem at all if the session bean is deployed as a stateless session bean. But if it is deployes as a stateful one, then the exception described in the initial email of this thread is occuring.
              Anybody has any ideas why? Am I missing something in the EJB spec or JBoss documentation saying that after a security excpetion, the stateful bean are gone/discarded?
              Any help will be appreciated.

              Thomas

              • 4. Re: problem with method-permission
                Thomas Cherel Novice

                Thanks to Annegret (the intial post of this thread), I got the answer to my question. There it is for anybody else interested:

                The behavior you see is correct based on our interpretation of the
                EJB spec. The SecurityException is treated as RuntimeException
                thrown by the business method and the session is discarded. If
                other servers treat this differently file a bug.

                You cannot achieve the behavior you are looking for using a single
                stateful session bean accessed by a client. You would need to
                partition the work being done so that the restricted operation can
                be isolated from the session state you want to save on failure. You
                would need to add another stateless or stateful session bean for the
                restricted operation and catch and deal with the SecurityException
                thrown.

                xxxxxxxxxxxxxxxxxxxxxxxx
                Scott Stark
                Chief Technology Officer
                JBoss Group, LLC
                xxxxxxxxxxxxxxxxxxxxxxxx