12 Replies Latest reply on Jun 29, 2006 8:06 PM by Susumu Majima

    NEED HELP : Declarative authorization doesn't work

    Susumu Majima Newbie

      I try declarative authorization limit but it doesn't work. JBOSS is 4.0.4.GA.

      I use FORM authentification and call stateless sesssion bean via servlet.

      The users and roles are set by DatabaseServerLoginModule.

      The users are

      mysql> select * from users;
      +----------+----------+
      | username | passwd |
      +----------+----------+
      | user1 | password |
      | user2 | password |
      | user3 | password |
      | manager | password |
      +----------+----------+


      mysql> select * from userroles;
      +----------+-----------+
      | username | userRoles |
      +----------+-----------+
      | user1 | user |
      | user2 | user |
      | user3 | user |
      | manager | admin |
      +----------+-----------+

      The propgram is tiny one.

      The method multi is allowed only "user" role.
      The method plus is allowed only "admin" role.
      The method minus is allowed any role.

      I executed program but manager is able to execute multi. And user1 is able to execute plus.
      No message comes from JBOSS.

      package security.sample;
      
      import java.security.Principal;
      
      import javax.annotation.Resource;
      import javax.annotation.security.PermitAll;
      import javax.annotation.security.RolesAllowed;
      import javax.ejb.SessionContext;
      import javax.ejb.Stateless;
      
      
      @Stateless
      public class CalculatorBean implements Calculator {
      
       @Resource SessionContext ctx;
      
       @RolesAllowed("user")
       public int multi(int value1, int value2) {
       checkUser("multi");
       return value1 * value2;
       }
      
       @RolesAllowed("admin")
       public int plus(int value1, int value2) {
       checkUser("plus");
       return value1 + value2;
       }
      
      
       @PermitAll
       public int minus(int value1, int value2) {
       checkUser("minus");
       return value1 - value2;
       }
      
       private void checkUser(String methodName) {
       System.out.println("method:" + methodName);
       Principal caller = ctx.getCallerPrincipal();
       String name = caller.getName();
       System.out.println("name:" + name);
      
      
       }
      }
      
      


      Does anyone check declarative authorization ?

      Could you give me advices?

      Susumu


        • 1. Re: NEED HELP : Declarative authorization doesn't work
          chris griffith Expert

          Susumu,

          It would be helpful to see what is happening at authentication time in trace logging for jboss security layer. As well, you can verify what roles the principals have by viewing the authentication cache using jmx-console. Please let us know.

          thanks, cgriffith

          • 2. Re: NEED HELP : Declarative authorization doesn't work
            Susumu Majima Newbie

            Sorry I'm new to JBOSS & EJB.

            I'm not sure the log cutouted from server.log is appropriate part.

            the server.log is

            TestDB is a database I use to store security data,users,roles.

            2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@14d8c01
            2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@22a6bb
            2006-06-27 09:25:11,918 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@f0756d{ url=null ,addedOrder=0}
            2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CachePolicy set to: org.jboss.util.TimedCachePolicy@ad4bb0
            2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@ad4bb0
            2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added TestDB, org.jboss.security.plugins.SecurityDomainContext@144426c to map
            2006-06-27 09:25:11,934 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@187b796{ url=null ,addedOrder=0}
            2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807
            2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1151368361949, new next: 1151368361949
            2006-06-27 09:25:12,199 DEBUG [org.jboss.web.tomcat.tc5.jasper.TagLibCache] Scanning for tlds in: file:/C:/jboss-4.0.4.GA/server/default/deploy/jbossweb-tomcat55.sar/jsf-libs/myfaces-impl.jar
            2006-06-27 09:25:12,668 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@2efae4{ url=null ,addedOrder=0}
            2006-06-27 09:25:12,714 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19dc72f{ url=null ,addedOrder=0}
            2006-06-27 09:25:12,886 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b3251d{ url=null ,addedOrder=0}
            2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@12b71eb{ url=null ,addedOrder=0}
            2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1441dc0{ url=null ,addedOrder=0}
            2006-06-27 09:25:13,183 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b6c74{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@109eab7{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@10cf62{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19f332b{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,100 INFO [STDOUT] method:plus
            2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@d86cae{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,100 INFO [STDOUT] name:user1
            2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@16915d4{ url=null ,addedOrder=0}
            2006-06-27 09:25:21,132 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b2979e{ url=null ,addedOrder=0}
            


            I don't understand what I should enter as parameter in java.util.List getAuthenticationCachePrincipals()
            .

            Cloud you let me know what I should enter for checking authentication cache by jmx-console ?

            Thanks in advance



            • 3. Re: NEED HELP : Declarative authorization doesn't work
              chris griffith Expert

              Susumu,

              The String parameter of java.util.List getAuthenticationCachePrincipals() is the name of the security domain. This function will show you what principals are currently logged in that domain.

              Your post below is useless. What is needed is trace logging of the authentication at the time a user requests a secured resource for the first time. Also, it would be useful to check your application-policy config.

              cgriffith

              • 4. Re: NEED HELP : Declarative authorization doesn't work
                Susumu Majima Newbie

                I'm terribly sorry but I don't know how to get authetication trace logging.
                Where(in which file) can I find application-policy config?

                Could you let me know it?


                I use jmx-console and the currently logged principal in the domain is user1.

                Susumu

                • 5. Re: NEED HELP : Declarative authorization doesn't work
                  Frank Stolle Newbie

                  Hello. I think you forgot the @SecurityDomain at the class.

                  • 6. Re: NEED HELP : Declarative authorization doesn't work
                    jaikiran pai Master

                     

                    I'm terribly sorry but I don't know how to get authetication trace logging


                    Have a look at Q4: How to debug security layer at:

                    http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

                    Where(in which file) can I find application-policy config?


                    You can find this is login-config.xml file present in %JBOSS_HOME%/server/default/conf directory.



                    • 7. Re: NEED HELP : Declarative authorization doesn't work
                      Susumu Majima Newbie

                      The log is below. In this case I select multi as user1.


                      2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:53:58,408 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
                      2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                      2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
                      2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                      2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574862876 sessioncount 1
                      2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
                      2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574922875 sessioncount 1
                      2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc.jsp
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
                      2006-06-29 18:55:28,063 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
                      2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
                      2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
                      2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
                      ??: user1
                      ??: Roles(members:user)
                      , sc=org.jboss.security.SecurityAssociation$SubjectContext@1e07d3e{principal=user1,subject=17274660}
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                      2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
                      2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
                      2006-06-29 18:55:33,594 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
                      ??: user1
                      ??: Roles(members:user)
                      , sc=org.jboss.security.SecurityAssociation$SubjectContext@13e9963{principal=user1,subject=17274660}
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=user1
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
                      2006-06-29 18:55:33,594 INFO [STDOUT] method:plus
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getCallerPrincipal, principal=user1
                      2006-06-29 18:55:33,594 INFO [STDOUT] name:user1
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/answer.jsp, pathInfo=null, queryString=null, name=null
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                      2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                      2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
                      2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] clear, server=true


                      My application-policy is

                       <!-- add by Majima for test -->
                       <application-policy name="TestDB">
                       <authentication>
                       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                       flag = "required" >
                       <module-option name="dsJndiName">java:/MySecurityDS</module-option>
                       <module-option name="principalsQuery">select passwd from users where username=?</module-option>
                       <module-option name="rolesQuery">select userroles, 'Roles' from userroles where username=?</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      


                      • 8. Re: NEED HELP : Declarative authorization doesn't work
                        jaikiran pai Master

                         

                        In this case I select multi as user1.


                        This is going to work, isnt it? Since you have specified that the method multi can be invoked by users in role "user" (and user1 belongs to "user" role).

                        Your first post mentioned that

                        The method multi is allowed only "user" role. but manager is able to execute multi


                        Try out this case(i.e. try the multi operation with manager) and post the TRACE logs.




                        • 9. Re: NEED HELP : Declarative authorization doesn't work
                          Susumu Majima Newbie

                          I'm sorry I gave you a wrong information.
                          I selected plus as user. The logging above is in this case.

                          If it works correct,user1 can't excute plus.

                          Susumu

                          • 11. Re: NEED HELP : Declarative authorization doesn't work
                            jaikiran pai Master

                            Can you please post your ejb-jar.xml. The logs show that the user1 was authenticated correctly and he has been identified in the correct role.

                            • 12. Re: NEED HELP : Declarative authorization doesn't work
                              Susumu Majima Newbie

                              I don't have ejb-jar.xml. Because I don't thinlk specify anything in ejb-jar.xml.

                              Am I understanding wrong?

                              If something is needed in ejb-jar.xml,could you show me the example?