1 Reply Latest reply on Mar 1, 2007 9:13 AM by jaikiran pai

    EJB Security Question

    Aaron Walker Newbie

      I migrating some apps from weblogic and it appear that weblogic takes a different approach to EJB security in that if you don't specify a method-permission element in the ejb-jar.xml then it defaults to allows unchecked access to those methods where as jboss you have to explicitly marked them as unchecked. This is painful if I have to add every method individually to as unchecked if I only want to restrict access to one method.

      I can add the following:

      ...
       <method-permission>
       <unchecked/>
       <method >
       <ejb-name>MyEJB</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>*</method-name>
       </method>
       </method-permission>
      ...
      


      To allow unrestricted access to all methods but what is the behavior if I do the following:

      ...
       <method-permission>
       <unchecked/>
       <method >
       <ejb-name>MyEJB</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>*</method-name>
       </method>
       </method-permission>
       <method-permission>
       <role-name>valid-user</role-name>
       <method >
       <ejb-name>MyEJB</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>secureMethod</method-name>
       </method>
       </method-permission>
      ...
      


      Does this restrict access to users with a "valid-user" role or does the unchecked with the wildcard allow anyone to access the secureMethod?

      I will implement a testcase to findout and post my findings but am interested to find out what the semantic behavior is supposed to be.

      Oh if you want I can post this in the EJB forum if you think that's a more relevant location for this post.

      cheers,

      Aaron

        • 1. Re: EJB Security Question
          jaikiran pai Master

           

          Does this restrict access to users with a "valid-user" role or does the unchecked with the wildcard allow anyone to access the secureMethod?


          If i am not wrong, i remember reading a similar post where it was mentioned that in such cases the stricter restriction will be used for authorization. So in your case, only the users with a "valid-user" role will be allowed to access the secureMethod.

          Getting this confirmed through a testcase would be great.