1 Reply Latest reply on Aug 26, 2002 2:07 PM by Michael Wenig

    account-manager: create new accounts and method permissions

    Michael Wenig Newbie

      Hello,

      I'm writing an account-manager app where users can register themselves so that they can authenticate themselves later with the information entered.

      So I have a SessionBean (SUserBean) with two methods ("getNewUser" "storeNewUser") which everyone (especially unathenticated users) are allowed to call.
      In addition I have a method "getUser" which returns the actual users data (to edit the own user profile).

      So I placed method-permissions on the methods-to-secure, entered a name for "unauthenticated-principal" in jboss.xml and assigned method-permissions for this user to the two unsecure-methods.

      But this doen't work - all I get are SecurityPermissions (principal=null) at the point where I create a new bean

      (look dtds below)
      I think there is a mapping mising between the user "NOBODY" and the role "UNATHENTICATED" but I didn't found anything where I can specifiy this. I also tried to use the same name but that didn't work, too.

      Can anyone help me???

      Thanks Michael

      Here are my DDs: (compressed to security-relevant parts)

      ejb-jar:
      <ejb-jar>
      <assembly-descriptor>
      <security-role><role-name>AllUsersRole</role-name></security-role>
      <security-role><role-name>UnauthenticatedRole</role-name></security-role>
      <method-permission>
      <role-name>AllUsersRole</role-name>

      <ejb-name>SUserBean</ejb-name>
      <method-name>getUser</method-name>


      <ejb-name>SUserBean</ejb-name>
      <method-name>store</method-name>
      <method-params><method-param>IUserRW</method-param></method-params>

      </method-permission>
      <method-permission>
      <role-name>UNATHENTICATED</role-name>

      <ejb-name>SUserBean</ejb-name>
      <method-name>createNew</method-name>


      <ejb-name>SUserBean</ejb-name>
      <method-name>ejbCreate</method-name>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>


      jboss.xml:

      <security-domain>java:/jaas/myDomain</security-domain>
      <unauthenticated-principal>NOBODY</unauthenticated-principal>