0 Replies Latest reply on Apr 13, 2002 4:57 PM by Erik Konijnenburg

    web access possible on EJB excluded methods

    Erik Konijnenburg Newbie

      Hi there,

      I am trying to work out how the security works.

      I created a servlet helloServlet which accesses a method of the EJB HelloWorld. After logging in via the web with a userrole Customer I can still access the EJB via the Servlet, while I have excluded every method of the EJB.

      I would expect that I could not access the EJB. What am I doing wrong. Or is my setup not correct.
      I tried with the packages JBoss-2.4.4_Tomcat-3.2.3 and
      JBoss-2.4.4_Tomcat-4.0.1. Neither of them worked.

      Any help?

      Erik



      ejb-jar.xml
      -----------
      <ejb-jar>
      <enterprise-beans>

      <display-name>HelloWorld</display-name>
      <ejb-name>HelloWorld</ejb-name>
      securehelloworld.HelloWorldHome
      securehelloworld.HelloWorld
      <ejb-class>securehelloworld.HelloWorldBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      </enterprise-beans>
      <assembly-descriptor>
      <security-role>

      <role-name>Customer</role-name>
      </security-role>
      <security-role>

      <role-name>Erik</role-name>
      </security-role>
      <container-transaction>

      <ejb-name>HelloWorld</ejb-name>
      <method-name>*</method-name>

      <trans-attribute>Required</trans-attribute>
      </container-transaction>
      <exclude-list>


      <ejb-name>HelloWorld</ejb-name>
      <method-name>*</method-name>

      </exclude-list>
      </assembly-descriptor>
      </ejb-jar>

      --------
      web.xml
      --------
      <web-app>


      <servlet-name>helloServlet</servlet-name>
      <servlet-class>securehelloworld.SecureHelloWorldServlet</servlet-class>


      <servlet-name>webHello</servlet-name>
      <jsp-file>/hello.jsp</jsp-file>

      <servlet-mapping>
      <servlet-name>helloServlet</servlet-name>
      <url-pattern>/helloServlet</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
      <servlet-name>webHello</servlet-name>
      <url-pattern>/webHello</url-pattern>
      </servlet-mapping>
      <session-config>
      <session-timeout>30</session-timeout>
      </session-config>
      <welcome-file-list>
      <welcome-file>hello.jsp</welcome-file>
      </welcome-file-list>
      <security-constraint>
      <display-name>Customer, Erik</display-name>
      <web-resource-collection>
      <web-resource-name>Collection1</web-resource-name>
      <url-pattern>/helloServlet</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Erik</role-name>
      <role-name>Customer</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <security-constraint>
      <display-name>Customer, Erik</display-name>
      <web-resource-collection>
      <web-resource-name>Collection1</web-resource-name>
      <url-pattern>/webHello</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Erik</role-name>
      <role-name>Customer</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/logon.jsp</form-login-page>
      <form-error-page>/logon_failed.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      Test
      <role-name>Customer</role-name>
      </security-role>
      <security-role>
      Test
      <role-name>Erik</role-name>
      </security-role>
      <ejb-ref>
      <ejb-ref-name>EJB/HelloWorld</ejb-ref-name>
      <ejb-ref-type>Session</ejb-ref-type>
      securehelloworld.HelloWorldHome
      securehelloworld.HelloWorld
      </ejb-ref>
      </web-app>