You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Rex Wang (JIRA)" <ji...@apache.org> on 2010/03/24 02:44:27 UTC

[jira] Commented: (GERONIMO-5137) EJB security config in ejb-jar.xml does not override the ones defined via security annotations

    [ https://issues.apache.org/jira/browse/GERONIMO-5137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849008#action_12849008 ] 

Rex Wang commented on GERONIMO-5137:
------------------------------------

This might be a bug of OpenEJB 3.0.2, could you test it in pure openejb's container and if it still exists, you can raise a bug there.
Thanks.

> EJB security config in ejb-jar.xml does not override the ones defined via security annotations
> ----------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-5137
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5137
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: OpenEJB
>    Affects Versions: 2.1.5
>            Reporter: Forrest Xia
>
> Tried the DataCDInfo sample on G 2.1.4 and 2.1 branch, and found these EJB security settings in ejb-jar.xml does not override the ones defined in code via annotations.
> Here is the definition in ejb-jar.xml:
> 	<assembly-descriptor>
> 			<method-permission>
> 				<role-name>superadmin</role-name>
> 				<method>
> 					<ejb-name>ejb/DataCDInfoAdmin</ejb-name>
> 					<method-name>*</method-name>
> 				</method>
> 			</method-permission>
> 			<!-- In code, role "admin" only has right to access listOwners method
> 				but via this xml definition, the role could also access listAllDataCDs method -->
> 			<method-permission>
> 				<role-name>admin</role-name>
> 				<method>
> 					<ejb-name>ejb/DataCDInfoAdmin</ejb-name>
> 					<method-name>listAllDataCDs</method-name>					
> 				</method>
> 			</method-permission>
> 	</assembly-descriptor>     
> Here is the definition in code:
>         @RolesAllowed("superadmin")
> 	public String findpasswd(String username) {
> 		...
> 	}
>     
> 	@RolesAllowed("superadmin")
> 	public String[] listAllDataCDs() {
> 		...
> 	}
> 	
> 	@RolesAllowed({"admin","superadmin"})
> 	public String[] listOwners() {
> 		...
> 	}
> According to the definition in ejb-jar.xml, the role "admin" should be able to access two methods: listOwners and listAllDataCDs, but in geronimo 2.1.4 and 2.1 branch, it can only access listOwners.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.