4 Replies Latest reply on Mar 22, 2002 9:19 AM by Ryan Lentell

    Access To Methods Without Permissions

    Ryan Lentell Newbie

      We have developed a simple application with two roles. In the ejb-jar.xml we defined two roles default and FNS. The FNS role is allowed access to half of the EJB's; while, the default role is allowed access to the other EJB's.

      We are access the EJB's through a Java application. I would expect if the user is only assigned to the default role, an exception would be thrown when accessing ejb's only given permission to the FNS role. However, the user is allowed access to all ejb's methods when assigned to either role. I have included the applicable portion of the ejb-jar.xml.

      If anyone has any suggestions it would be of great help!

      <security-role>
      <role-name>FNS</role-name>
      </security-role>
      <security-role>
      <role-name>default</role-name>
      </security-role>

      <method-permission>

      <role-name>default</role-name>

      <ejb-name>UserSessionBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SessionManagerBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>UniqueIdentifierBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>UniqueIdentifierSessionBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission>

      <role-name>FNS</role-name>

      <ejb-name>CompanyBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>RoleBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>OperatorBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SystemMenuItemBean</ejb-name>
      <method-name>*</method-name>


      <ejb-name>SystemMenuTypeBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>