I tried a simple exercise with a client calling a session bean via its remote interface and did not get the results as expected.
Here are the details:
I am working on a laptop using windows 7 professional, JDK 1.7.0_04,
Eclipse Juno (Build id: 20120614-1722) and JBoss 7.1.1
In JBoss I created two application users.
The result (without the comments above) can be seen in the following two files (in ~ \jboss-as-7.1.1.Final\standalone\configuration)
I created a new EJB Project with the name DemoSecurityMini.
As shown in the following interface and the implementing session bean, I experimented with the effect of @PermitAll (method printStatement()), @DenyAll (method destroyBank()) , @RolesAllowed (method createAccount()) and the method isRollerInRole() (see method withdrawMoney(int amount)).
The client shown in the following lines tries to invoke the above shown methods for the two roles „clerk“ and „admin“.
The client uses the following utility class (I list only the important code lines for the problem.)
At last I add the two exception classes.
Starting the JBoss AS 7.1.1 I got the expected namespace (so I think the class ServiceLocator is working well.)
Besides I used Ant to build the project. I got a jar-file DemoSecurityMini.jar and an ear-file DemoSecurityMini.ear. In my opinion this also seems to be all right.
I started the client and got the following result:
(1) This is what I expected.
(2) For the role „clerk“ I have expected that the method createAccount() will not be
executed. Instead of this there should have been the exception-message
„----- No permission for creating account“.
(3) This is what I excepted.
(4) For the role „clerk“ I have expected that withdrayMoney(1001) would return
„ok: You are clerk and may withdraw 1001“
(5) In respect to the @DenyAll annotation I had expected
„****** Illegal You must not destroy the bank!!!“
(6) This is what I expected.
(7) This is what I expected.
(8) This is what I expected.
(9) The user admin is part of the @RolesAllowed, so in my opinion the method
should be executed. As the role „admin“ differs from the role „clerk“ there
should be thrown a WithdrawException. So in my opinion we should see
„Not ok. Only clerk is allowed to withdraw 1001“
(10) I expected another result (see (5)).
I would be very glad if somebody can help me. Thanks a lot for your encouragement!
Matthias Grafen, codecentric AG, Germany
subject: Problems with Security API of JEE6 using JBoss 7.1.1