2 Replies Latest reply on Jun 17, 2005 10:05 AM by Scott Stark

    Secured session bean method permission gets treated incorrec

    Gray Newbie

      Summary

      Why is it that my secured session bean method permission gets treated incorrectly? Is there something I am doing wrong or is it a genuine bug?

      Detail

      I have a rich client that is using the following sequence for logging into JBoss.
      1) JAAS Login using JBoss's ClientLoginModule (which does not do an immediate call to authenticate)
      2) Immediately call a secured session bean method to force the authentication and authorisation operations
      3) If 2 fails then do a JAAS logout

      This is apparently a fairly usual way of doing client login in the JBoss world.

      The problem is with step 2. There is something here that is not working the way it is supposed to.

      Lets say I get hold of the remote proxy to the bean via the home interface before the login operation. This would require the following to be in the assembly descriptor section of the ejb-jar.xml

       <method-permission >
       <description/>
       <unchecked/>
       <method >
       <description/>
       <ejb-name>LoginManager</ejb-name>
       <method-intf>Home</method-intf>
       <method-name>create</method-name>
       <method-params/>
       </method>
       </method-permission>
      


      This succeeds fine. So now I have a bean I can call the remote login method on.

      Then I secure the login method with the role "end-user" as follows

       <security-role>
       <description/>
       <role-name>end-user</role-name>
       </security-role>
      
      
       <method-permission >
       <description/>
       <role-name>end-user</role-name>
       <method >
       <description/>
       <ejb-name>LoginManager</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>login</method-name>
       <method-params/>
       </method>
       </method-permission>
      


      The call to the login method works for authenticated users with the role end-user. This is correct behaviour.

      For non authenticated users the method call fails. Also correct behaviour.

      However what is frustratrating is that if they are an authenticated user without the role end-user the call to login succeeds despite me having clearly spelled out that the method requires this role!

      Anyone help? I am on the verge of posting a bug report but don't want to waste anyone's time if I have misunderstood how this is supposed to work.

      BTW I am using JBoss 4.0.1 if it makes any difference.

      Kindest Regards,

      Graeme