About Question enthuware.oce-ejbd.v6.2.614 :
Moderators: Site Manager, fjwalraven
-
- Posts: 1
- Joined: Thu Sep 12, 2013 2:46 am
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
"Option 4 is not correct because there is no role named "admin" in the system."
eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?
eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?
-
- Site Admin
- Posts: 10053
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
I don't see that explanation in option 4. It is not correct because you cannot map one role to another role.
HTH,
Paul.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Thu Sep 25, 2014 2:48 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Hi,
i'm little confused about this sentence:
and
a user mapped to "administrator" role can access to method with @RolesAllowed("superuser")?
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.
Many thanks.
i'm little confused about this sentence:
So, having this on ejb-jar:Create a role named administrator and link admin and superuser to this role then map user Bob to administrator role.
Code: Select all
<assembly-descriptor>
<security-role>
<role-name>administrator</role-name>
</security-role>
Code: Select all
<enterprise-beans>
<session>
....
<security-role-ref>
<role-name>superuser</role-name>
<role-link>administrator</role-link>
</security-role-ref>
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.
Many thanks.
-
- Site Admin
- Posts: 10053
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
@RolesAllowed doesn't use security-role-refs. It uses actual role names. To use names given in security-role-refs, you have to use deployment descriptor.
HTH,
Paul.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Thu Sep 25, 2014 2:48 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?
Thanks.
Thanks.
-
- Site Admin
- Posts: 10053
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
Yes, that is correct.
If you like our products and services, please help us by posting your review here.
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
I think option 4 is not correct because we cannot map EJB's "admin" role to "superuser" role or vice versa in a dd.
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
The value of <role-link> in <security-role-ref> is to link the role defined in EJB in dd to the role defined in <assembly-descriptor>'s <security-role> in the same dd (eg ejb-jar.xml) .supergiu wrote:So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?
Thanks.
And the <security-role> in <assembly-descriptor> is refered in another vendor-specific dd (eg glassfish-ejb-jar.xml).
Keep in mind the bean provider defines roles in annotation in the code or in ejb-jar.xml.
The assembler defines roles without knowing in advanced what the bean provider defines.
Therefore, the assembler needs to use <role-link> to map the role defined by the assembler to the role defined by the bean provider.
For example, the bean provider defines a role called "superUser". Without knowing that in advance, the assembler defines the same role, but call it "admin".
Therefore, the assembler needs to use <role-link> to link "amin" to "superUser".
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.oce-ejbd.v6.2.614 :
In option 4, I think we can have a dd like this:
ejb-jar.xml
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)
Is it possible to do that ?
ejb-jar.xml
In a vendor specific dd, the deployer can map Bob to admin and map admin to superuser.<session-bean>
<ejb-name>YBean</ejb-name>
....
<security-role-ref>admin</security-role-ref>
</session-bean>
<session-bean>
<ejb-name>XBean</ejb-name>
....
<security-role-ref>superuser</security-role-ref>
</session-bean>
<assembly-descriptor>
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>superuser</role-name></security-role>
</assembly-descriptor>
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)
Is it possible to do that ?
Who is online
Users browsing this forum: No registered users and 20 guests