You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2005/04/18 21:07:48 UTC

[jira] Closed: (GERONIMO-634) openejb jacc has contextID per ejb rather than contextID per ejb module

     [ http://issues.apache.org/jira/browse/GERONIMO-634?page=all ]
     
David Jencks closed GERONIMO-634:
---------------------------------

     Resolution: Fixed
    Fix Version: 1.0-M4

Fixed.  Only openejb changes needed, commit includes issue number.

> openejb jacc has contextID per ejb rather than contextID per ejb module
> -----------------------------------------------------------------------
>
>          Key: GERONIMO-634
>          URL: http://issues.apache.org/jira/browse/GERONIMO-634
>      Project: Geronimo
>         Type: Bug
>   Components: OpenEJB
>     Versions: 1.0-M3
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.0-M4

>
> Currently openejb creates a policy context for each ejb, containing only those permissions relevant to that ejb.  This appears to be contrary to the jacc spec:
> On p.4 we see this definition:
> Policy Context The collection of policy statements within a policy  provider that affect access to the resources of one or more  deployed modules.
> section 3.1.1 also appears to indicate that a policy context corresponds to a j2ee module:
> Each policy context contains all of the policy statements (as defined by this  specification) that affect access to the resources in one or more deployed modules.    
> section 3.1.5, dealing with translation of the xml dd to permissions inside PolicyConfiguration objects, also looks to me as if the authors assume that there is one contextID for each ejb module.  For instance 3.1.5.1 reads:
> For each method element of each method-permission element, an  EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object. 
> Our implementation is externally indistinguishable from the per-module implementation mandated by the spec: it will allow exactly the same access.  It is also slightly marginally simpler at runtime although marginally more complicated at deploy time than the spec mandated structure.
> Note that in general permissions for several modules cannot be put in a single policy context.  Two web modules may have servlets at the same local url, differing only in context root, with different permissions, and two ejb modules may have identically named ejbs with different permissions.  Such cases cannot include permissions from both modules in a single policy context.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira