0 Replies Latest reply on May 20, 2009 6:49 AM by Darek Szumacher

    Does <method-permission> overwrite prevoius entry in ejb-jar

    Darek Szumacher Newbie

      Hi

      I'm trying to restrict EJB method "add" in remote interface, and leave the same method in local interface accessible freely. I tried to use <method-intf> tag to distinguish interfaces. I have following entries:

      ...
      <assembly-descriptor>
       <security-role>
       <description>Calculator guest</description>
       <role-name>guest</role-name>
       </security-role>
      
       <security-role>
       <description>Calculator external role</description>
       <role-name>externalUser</role-name>
       </security-role>
      
       <method-permission>
       <role-name>guest</role-name>
       <method>
       <ejb-name>CalculatorBean</ejb-name>
       <method-intf>Home</method-intf>
       <method-name>add</method-name>
       </method>
       </method-permission>
      
       <method-permission>
       <role-name>externalUser</role-name>
       <method>
       <ejb-name>CalculatorBean</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>add</method-name>
       </method>
       </method-permission>
      </assembly-descriptor>
      ...


      During debugging I saw that only externaUser role is available for "add". It seems that previous <method-permission> is overwritten. My "guest" role is unknown. If I comment last entry, then the "guest" role is available.

      I'm invoking EJB via local interface, from another stateless EJB (packed in other jar file, but delivered in the same EAR). Caller is recognized as "guest"

      Do you know what is going on? Am I specifying permissions in incorrect way? Or did I miss something important? My login-config.xml is configured to accept "unauthenticatedIdentity"

      JBoss: 4.2.0 GA
      JDK: 1.6.0 u13

      Thanks in advance!
      Darek