About Question enthuware.oce-ejbd.v6.2.614 :
Moderators: Site Manager, fjwalraven
About Question enthuware.oce-ejbd.v6.2.614 :
Why the option number 1 is not correct? I thought that both the 1 and 3 option is correct.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
You can't map a user to multiple roles.
If you like our products and services, please help us by posting your review here.
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Re: You can't map a user to multiple roles.
Is this specified in the spec? Because GlassFish v3.1 seems to allow a single user to be mapped to multiple roles, by including something like the following in the sun-web.xml DD:
Using the GlassFish admin console I associated "goetz" to the "plain-users" group only. However with the above DD and by adding "@DeclareRoles({ "superusers", "plainusers", "admin" })" to my EJB, I was able to confirm in the EJB that user "goetz" is in all three roles (by using ctx.isCallerInRole).
Maybe this is a vendor-specific feature, but does the spec explicitly recommend/mandate that a user can only be mapped to one role?
Is this specified in the spec? Because GlassFish v3.1 seems to allow a single user to be mapped to multiple roles, by including something like the following in the sun-web.xml DD:
Code: Select all
<security-role-mapping>
<role-name>superusers</role-name>
<principal-name>goetz</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>plainusers</role-name>
<group-name>plain-users</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<principal-name>goetz</principal-name>
</security-role-mapping>
Maybe this is a vendor-specific feature, but does the spec explicitly recommend/mandate that a user can only be mapped to one role?
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
The EJB 3.1 specification doesn't mention anything about how user principals are mapped to a role. But after reading the following statement from Java EE Platform Specification 6, I now think it should be possible to map a use to to multiple roles.
thank you for your feedback,
Paul.
The question has been corrected accordingly.Section EE.3.2:
The container’s evaluation stops with an “is authorized” outcome when the container is able to map the caller’s credential to a role.
thank you for your feedback,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
I got confused by the first word "map" in this answer:
"Create a role named administrator and map admin and superuser to this role then map user Bob to administrator role."
Mapping "user" to a "role" is is quite often used in EE-terms. Mapping a "role" to a "role" is something that is often explained as linking.
I assume you meant to say:
"Create a role named administrator and link the roles admin and superuser to this role then map user Bob to administrator role."
like this in the deployment descriptor:
Regards,
Frits
"Create a role named administrator and map admin and superuser to this role then map user Bob to administrator role."
Mapping "user" to a "role" is is quite often used in EE-terms. Mapping a "role" to a "role" is something that is often explained as linking.
I assume you meant to say:
"Create a role named administrator and link the roles admin and superuser to this role then map user Bob to administrator role."
like this in the deployment descriptor:
Code: Select all
<assembly-descriptor>
...
<enterprise-beans>
<session>
<ejb-name>XBean</ejb-name>
<ejb-class>com.aardvark.XBean</ejb-class>
<session-type>Stateless</session-type>
<security-role-ref>
<description>superuser used in the code is an administrator in the ear</description>
<role-name>superuser</role-name>
<role-link>administrator</role-link>
</security-role-ref>
</session>
<session>
<ejb-name>YBean</ejb-name>
<ejb-class>com.cow.YBean</ejb-class>
<session-type>Stateless</session-type>
<security-role-ref>
<description>admin used in the code is an administrator in the ear</description>
<role-name>admin</role-name>
<role-link>administrator</role-link>
</security-role-ref>
</session>
</enterprise-beans>
...
<security-role>
<role-name>administrator</role-name>
</security-role>
...
</assembly-descriptor>
Frits
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Hi Frits,
Map has been changed to link in this case.
thank you for your feedback!
Paul.
Map has been changed to link in this case.
thank you for your feedback!
Paul.
If you like our products and services, please help us by posting your review here.
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Possible typo: "preffered approach" should be "preferred approach" in answer three.
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Option 4 is not correct because there is no role named "admin" in the system. There is a role named "administrator" to which "Bob" belongs. So creating a role admin and linking superuser to admin is not enough.tobias.gaenzler wrote:Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 2
- Joined: Thu Jun 27, 2013 9:32 am
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
You say you changed to question to reflect that a user can indeed be mapped to several roles, but why is answer 1 still wrong then?
-
- Posts: 1
- Joined: Thu Sep 12, 2013 2:46 am
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
"Option 4 is not correct because there is no role named "admin" in the system."
eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?
eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
I don't see that explanation in option 4. It is not correct because you cannot map one role to another role.
HTH,
Paul.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Thu Sep 25, 2014 2:48 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Hi,
i'm little confused about this sentence:
and
a user mapped to "administrator" role can access to method with @RolesAllowed("superuser")?
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.
Many thanks.
i'm little confused about this sentence:
So, having this on ejb-jar:Create a role named administrator and link admin and superuser to this role then map user Bob to administrator role.
Code: Select all
<assembly-descriptor>
<security-role>
<role-name>administrator</role-name>
</security-role>
Code: Select all
<enterprise-beans>
<session>
....
<security-role-ref>
<role-name>superuser</role-name>
<role-link>administrator</role-link>
</security-role-ref>
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.
Many thanks.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
@RolesAllowed doesn't use security-role-refs. It uses actual role names. To use names given in security-role-refs, you have to use deployment descriptor.
HTH,
Paul.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Thu Sep 25, 2014 2:48 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?
Thanks.
Thanks.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Yes, that is correct.
If you like our products and services, please help us by posting your review here.
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
I think option 4 is not correct because we cannot map EJB's "admin" role to "superuser" role or vice versa in a dd.
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
The value of <role-link> in <security-role-ref> is to link the role defined in EJB in dd to the role defined in <assembly-descriptor>'s <security-role> in the same dd (eg ejb-jar.xml) .supergiu wrote:So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?
Thanks.
And the <security-role> in <assembly-descriptor> is refered in another vendor-specific dd (eg glassfish-ejb-jar.xml).
Keep in mind the bean provider defines roles in annotation in the code or in ejb-jar.xml.
The assembler defines roles without knowing in advanced what the bean provider defines.
Therefore, the assembler needs to use <role-link> to map the role defined by the assembler to the role defined by the bean provider.
For example, the bean provider defines a role called "superUser". Without knowing that in advance, the assembler defines the same role, but call it "admin".
Therefore, the assembler needs to use <role-link> to link "amin" to "superUser".
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
In option 4, I think we can have a dd like this:
ejb-jar.xml
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)
Is it possible to do that ?
ejb-jar.xml
In a vendor specific dd, the deployer can map Bob to admin and map admin to superuser.<session-bean>
<ejb-name>YBean</ejb-name>
....
<security-role-ref>admin</security-role-ref>
</session-bean>
<session-bean>
<ejb-name>XBean</ejb-name>
....
<security-role-ref>superuser</security-role-ref>
</session-bean>
<assembly-descriptor>
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>superuser</role-name></security-role>
</assembly-descriptor>
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)
Is it possible to do that ?
Who is online
Users browsing this forum: No registered users and 29 guests