You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org> on 2008/10/17 19:51:44 UTC

[jira] Updated: (GERONIMO-4367) default-subject does not work with EJB security

     [ https://issues.apache.org/jira/browse/GERONIMO-4367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vamsavardhana Reddy updated GERONIMO-4367:
------------------------------------------

    Attachment: GERONIMO-4367-testcase.zip

GERONIMO-4367-testcase.zip has the necessary files to verify this issue.  Instructions are in README.TXT in the archive.

> default-subject does not work with EJB security
> -----------------------------------------------
>
>                 Key: GERONIMO-4367
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4367
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.1.3, 2.2
>            Reporter: Vamsavardhana Reddy
>             Fix For: 2.2
>
>         Attachments: GERONIMO-4367-testcase.zip
>
>
> The default-subject does not seem to work with EJB security. I have verified this in the following scenario:
> I have a stateless bean BankBean1 as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> public class BankBean1 implements Bank {
>     @RolesAllowed({"customer", "bank"})
>     public Double getBalance(Integer account) {
>         return data.get(account);
>     }
>    
>     @RolesAllowed({"bank"})
>     public Double creditAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
>     @RolesAllowed({"bank"})
>     public Double debitAccount(Integer account, Double amt) {
>         ...
>         return value;
>     }
> }
> I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and uses @RunAs as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> @RunAs(value = "bank")
> public class BankBean2 implements Bank2 {
>    
>     @EJB
>     private Bank bank; // BankBean1 gets injected here.
>     public Double getBalance(Integer account) {
>         return bank.getBalance(account);
>     }
>    
>     public Double creditAccount(Integer account, Double amt) {
>         return bank.creditAccount(account, amt);
>     }
>     public Double debitAccount(Integer account, Double amt) {
>         return bank.debitAccount(account, amt);
>     }
> }
> In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank" role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified.  But if I don't specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke BankBean1 as per the default-subject specified.
> Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.