You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Vamsavardhana Reddy <c1...@gmail.com> on 2008/10/16 22:14:54 UTC
How is the default-subject used in EJB security?
I have a stateless bean BankBean1 as given below:
@Stateless
@DeclareRoles(value = {"bank", "customer"})
public class BankBean1 implements Bank {
@RolesAllowed({"customer", "bank"})
public Double getBalance(Integer account) {
return data.get(account);
}
@RolesAllowed({"bank"})
public Double creditAccount(Integer account, Double amt) {
...
return value;
}
@RolesAllowed({"bank"})
public Double debitAccount(Integer account, Double amt) {
...
return value;
}
}
I have a second stateless bean BankBean2 that has a reference injected to
BankBean1 and uses @RunAs as given below:
@Stateless
@DeclareRoles(value = {"bank", "customer"})
@RunAs(value = "bank")
public class BankBean2 implements Bank2 {
@EJB
private Bank bank; // BankBean1 gets injected here.
public Double getBalance(Integer account) {
return bank.getBalance(account);
}
public Double creditAccount(Integer account, Double amt) {
return bank.creditAccount(account, amt);
}
public Double debitAccount(Integer account, Double amt) {
return bank.debitAccount(account, amt);
}
}
In the security mapping in openejb-jar.xml, if I specify a run-as-subject
for "bank" role, BankBean2 is able to invoke BankBean1 as per that
run-as-subject specified. But if I don't specify a run-as-subject, but only
use a default-subject, BankBean2 is unable to invoke BankBean1 as per the
default-subject specified. I guess the default-subject is being ignored.
This is not the case with run-as-subject and default-subject used in
geronimo-web.xml. In the absence of run-as-subject I notice that
default-subject is used. I am wondering how the default-subject is used in
ejb security.
++Vamsi
Re: How is the default-subject used in EJB security?
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Created GERONIMO-4367.
++Vamsi
On Fri, Oct 17, 2008 at 1:21 PM, Vamsavardhana Reddy <c1...@gmail.com>wrote:
>
>
> On Fri, Oct 17, 2008 at 12:47 PM, David Jencks <da...@yahoo.com>wrote:
>
>>
>> On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
>>
>> I have a stateless bean BankBean1 as given below:
>>>
>>> @Stateless
>>> @DeclareRoles(value = {"bank", "customer"})
>>> public class BankBean1 implements Bank {
>>>
>>> @RolesAllowed({"customer", "bank"})
>>> public Double getBalance(Integer account) {
>>> return data.get(account);
>>> }
>>>
>>> @RolesAllowed({"bank"})
>>> public Double creditAccount(Integer account, Double amt) {
>>> ...
>>> return value;
>>> }
>>>
>>> @RolesAllowed({"bank"})
>>> public Double debitAccount(Integer account, Double amt) {
>>> ...
>>> return value;
>>> }
>>> }
>>>
>>> I have a second stateless bean BankBean2 that has a reference injected to
>>> BankBean1 and uses @RunAs as given below:
>>> @Stateless
>>> @DeclareRoles(value = {"bank", "customer"})
>>> @RunAs(value = "bank")
>>> public class BankBean2 implements Bank2 {
>>>
>>> @EJB
>>> private Bank bank; // BankBean1 gets injected here.
>>>
>>> public Double getBalance(Integer account) {
>>> return bank.getBalance(account);
>>> }
>>>
>>> public Double creditAccount(Integer account, Double amt) {
>>> return bank.creditAccount(account, amt);
>>> }
>>>
>>> public Double debitAccount(Integer account, Double amt) {
>>> return bank.debitAccount(account, amt);
>>> }
>>> }
>>>
>>> In the security mapping in openejb-jar.xml, if I specify a run-as-subject
>>> for "bank" role, BankBean2 is able to invoke BankBean1 as per that
>>> run-as-subject specified. But if I don't specify a run-as-subject, but only
>>> use a default-subject, BankBean2 is unable to invoke BankBean1 as per the
>>> default-subject specified. I guess the default-subject is being ignored.
>>> This is not the case with run-as-subject and default-subject used in
>>> geronimo-web.xml. In the absence of run-as-subject I notice that
>>> default-subject is used. I am wondering how the default-subject is used in
>>> ejb security.
>>>
>>
>> What is the default-subject you have specified? I'd expect it would be
>> used if no run-as subject is specified for the role.
>
> I tried a default-subject that maps to "customer" role and also a
> default-subject that maps to "bank" role. When I specify the run-as-subject
> the BankBean1 invocation is happening as per that subject i.e. when the
> subject contains a principal that maps to the "bank" role all methods are
> accessible and when the subject contains a principal that maps to "customer"
> role only getBalance() method is accessible. If I remove the run-as-subject
> and put the same as default-subject, none of the methods are accessible.
>
>
>> If you are trying to tell us that you have specified a default subject
>> with a principal that maps to the "bank" role and you still can't access the
>> BankBean1 then I think you've found a bug.... jira time :-)
>
> Yes, the methods are not accessible even when the default-subject has a
> principal that maps to "bank" role. I will create a JIRA and upload the
> test sample.
>
>
>>
>>
>> Note that our security system requires some extra configuration for the
>> run-as role to actually work, you need to specify a subject corresponding to
>> the run-as role. You are expected to assure that some principal in this
>> subject actually maps to the run-as role but this is not enfforced.
>
> This has been taken care. I am using SimpleCredentialStoreImpl to create a
> credential store and the credential-store-ref element in security element in
> the deployment plan.
>
> ++Vamsi
>
>>
>>
>> thanks
>> david jencks
>>
>>
>>> ++Vamsi
>>>
>>>
>>
>
Re: How is the default-subject used in EJB security?
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
On Fri, Oct 17, 2008 at 12:47 PM, David Jencks <da...@yahoo.com>wrote:
>
> On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
>
> I have a stateless bean BankBean1 as given below:
>>
>> @Stateless
>> @DeclareRoles(value = {"bank", "customer"})
>> public class BankBean1 implements Bank {
>>
>> @RolesAllowed({"customer", "bank"})
>> public Double getBalance(Integer account) {
>> return data.get(account);
>> }
>>
>> @RolesAllowed({"bank"})
>> public Double creditAccount(Integer account, Double amt) {
>> ...
>> return value;
>> }
>>
>> @RolesAllowed({"bank"})
>> public Double debitAccount(Integer account, Double amt) {
>> ...
>> return value;
>> }
>> }
>>
>> I have a second stateless bean BankBean2 that has a reference injected to
>> BankBean1 and uses @RunAs as given below:
>> @Stateless
>> @DeclareRoles(value = {"bank", "customer"})
>> @RunAs(value = "bank")
>> public class BankBean2 implements Bank2 {
>>
>> @EJB
>> private Bank bank; // BankBean1 gets injected here.
>>
>> public Double getBalance(Integer account) {
>> return bank.getBalance(account);
>> }
>>
>> public Double creditAccount(Integer account, Double amt) {
>> return bank.creditAccount(account, amt);
>> }
>>
>> public Double debitAccount(Integer account, Double amt) {
>> return bank.debitAccount(account, amt);
>> }
>> }
>>
>> In the security mapping in openejb-jar.xml, if I specify a run-as-subject
>> for "bank" role, BankBean2 is able to invoke BankBean1 as per that
>> run-as-subject specified. But if I don't specify a run-as-subject, but only
>> use a default-subject, BankBean2 is unable to invoke BankBean1 as per the
>> default-subject specified. I guess the default-subject is being ignored.
>> This is not the case with run-as-subject and default-subject used in
>> geronimo-web.xml. In the absence of run-as-subject I notice that
>> default-subject is used. I am wondering how the default-subject is used in
>> ejb security.
>>
>
> What is the default-subject you have specified? I'd expect it would be
> used if no run-as subject is specified for the role.
I tried a default-subject that maps to "customer" role and also a
default-subject that maps to "bank" role. When I specify the run-as-subject
the BankBean1 invocation is happening as per that subject i.e. when the
subject contains a principal that maps to the "bank" role all methods are
accessible and when the subject contains a principal that maps to "customer"
role only getBalance() method is accessible. If I remove the run-as-subject
and put the same as default-subject, none of the methods are accessible.
> If you are trying to tell us that you have specified a default subject
> with a principal that maps to the "bank" role and you still can't access the
> BankBean1 then I think you've found a bug.... jira time :-)
Yes, the methods are not accessible even when the default-subject has a
principal that maps to "bank" role. I will create a JIRA and upload the
test sample.
>
>
> Note that our security system requires some extra configuration for the
> run-as role to actually work, you need to specify a subject corresponding to
> the run-as role. You are expected to assure that some principal in this
> subject actually maps to the run-as role but this is not enfforced.
This has been taken care. I am using SimpleCredentialStoreImpl to create a
credential store and the credential-store-ref element in security element in
the deployment plan.
++Vamsi
>
>
> thanks
> david jencks
>
>
>> ++Vamsi
>>
>>
>
Re: How is the default-subject used in EJB security?
Posted by David Jencks <da...@yahoo.com>.
On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
> I have a stateless bean BankBean1 as given below:
>
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> public class BankBean1 implements Bank {
>
> @RolesAllowed({"customer", "bank"})
> public Double getBalance(Integer account) {
> return data.get(account);
> }
>
> @RolesAllowed({"bank"})
> public Double creditAccount(Integer account, Double amt) {
> ...
> return value;
> }
>
> @RolesAllowed({"bank"})
> public Double debitAccount(Integer account, Double amt) {
> ...
> return value;
> }
> }
>
> I have a second stateless bean BankBean2 that has a reference
> injected to BankBean1 and uses @RunAs as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> @RunAs(value = "bank")
> public class BankBean2 implements Bank2 {
>
> @EJB
> private Bank bank; // BankBean1 gets injected here.
>
> public Double getBalance(Integer account) {
> return bank.getBalance(account);
> }
>
> public Double creditAccount(Integer account, Double amt) {
> return bank.creditAccount(account, amt);
> }
>
> public Double debitAccount(Integer account, Double amt) {
> return bank.debitAccount(account, amt);
> }
> }
>
> In the security mapping in openejb-jar.xml, if I specify a run-as-
> subject for "bank" role, BankBean2 is able to invoke BankBean1 as
> per that run-as-subject specified. But if I don't specify a run-as-
> subject, but only use a default-subject, BankBean2 is unable to
> invoke BankBean1 as per the default-subject specified. I guess the
> default-subject is being ignored. This is not the case with run-as-
> subject and default-subject used in geronimo-web.xml. In the
> absence of run-as-subject I notice that default-subject is used. I
> am wondering how the default-subject is used in ejb security.
What is the default-subject you have specified? I'd expect it would
be used if no run-as subject is specified for the role. If you are
trying to tell us that you have specified a default subject with a
principal that maps to the "bank" role and you still can't access the
BankBean1 then I think you've found a bug.... jira time :-)
Note that our security system requires some extra configuration for
the run-as role to actually work, you need to specify a subject
corresponding to the run-as role. You are expected to assure that
some principal in this subject actually maps to the run-as role but
this is not enfforced.
thanks
david jencks
>
> ++Vamsi
>