wood burning stoves 2.0*
The moose likes EJB and other Java EE Technologies and the fly likes Problems with Security API of JEE6 using JBoss 7.1.1 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Problems with Security API of JEE6 using JBoss 7.1.1" Watch "Problems with Security API of JEE6 using JBoss 7.1.1" New topic
Author

Problems with Security API of JEE6 using JBoss 7.1.1

Matthias Grafen
Greenhorn

Joined: Nov 08, 2006
Posts: 1
Hello everybody,

I am working with ebj 3.1 and I have been testing the security API from JEE.

I wanted to show the effect of some annotations like @DeclareRoles, @PermitAll, @DenyAll, @RollesAllowed and the method isCallerInRole(String role) from javax.ejb.SessionContext.

Dealing with this subject I read the following articles:
Sun MicrosystemsJSR 318: Enterprise JavaBeansTM,Version 3.1EJB Core Contracts and RequirementsNovember, Chapter 17: Security Management“,
The Java EE 6 Tutorial, Chapter 39 ‚Introduction to Security in the Java EE Platform‘ and Chapter 41 ‚Getting Started Securing Enterprise Applications‘“,
Java™ Platform, Enterprise Edition (Java EE) Specification, v6“,
JBoss 7.1 Admin Guide, Security Realms

I tried a simple exercise with a client calling a session bean via its remote interface and did not get the results as expected.

Here are the details:
I am working on a laptop using windows 7 professional, JDK 1.7.0_04,
Eclipse Juno (Build id: 20120614-1722) and JBoss 7.1.1

In JBoss I created two application users.
The result (without the comments above) can be seen in the following two files (in ~ \jboss-as-7.1.1.Final\standalone\configuration)

application-users.properties


application-roles.properties


I created a new EJB Project with the name DemoSecurityMini.

As shown in the following interface and the implementing session bean, I experimented with the effect of @PermitAll (method printStatement()), @DenyAll (method destroyBank()) , @RolesAllowed (method createAccount()) and the method isRollerInRole() (see method withdrawMoney(int amount)).





The client shown in the following lines tries to invoke the above shown methods for the two roles „clerk“ and „admin“.



The client uses the following utility class (I list only the important code lines for the problem.)



At last I add the two exception classes.






Starting the JBoss AS 7.1.1 I got the expected namespace (so I think the class ServiceLocator is working well.)



Besides I used Ant to build the project. I got a jar-file DemoSecurityMini.jar and an ear-file DemoSecurityMini.ear. In my opinion this also seems to be all right.

I started the client and got the following result:




(1) This is what I expected.
(2) For the role „clerk“ I have expected that the method createAccount() will not be
executed. Instead of this there should have been the exception-message
„----- No permission for creating account“.
(3) This is what I excepted.
(4) For the role „clerk“ I have expected that withdrayMoney(1001) would return
„ok: You are clerk and may withdraw 1001“
(5) In respect to the @DenyAll annotation I had expected
„****** Illegal You must not destroy the bank!!!“

(6) This is what I expected.
(7) This is what I expected.
(8) This is what I expected.
(9) The user admin is part of the @RolesAllowed, so in my opinion the method
should be executed. As the role „admin“ differs from the role „clerk“ there
should be thrown a WithdrawException. So in my opinion we should see
„Not ok. Only clerk is allowed to withdraw 1001“
(10) I expected another result (see (5)).

I would be very glad if somebody can help me. Thanks a lot for your encouragement!

Matthias


Matthias Grafen, codecentric AG, Germany
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problems with Security API of JEE6 using JBoss 7.1.1
 
Similar Threads
must the service locator be a singleton
Yielding...
Not able to insert image more than 4K in Database
Service Locator Pattern
static code?