About Question enthuware.oce-ejbd.v6.2.614 :

[kingSnake]

"Option 4 is not correct because there is no role named "admin" in the system."

eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?

[admin]

I don't see that explanation in option 4. It is not correct because you cannot map one role to another role.

HTH,
Paul.

[supergiu]

Hi,
i'm little confused about this sentence:

Create a role named administrator and link admin and superuser to this role then map user Bob to administrator role.

So, having this on ejb-jar:

Code: Select all

<assembly-descriptor>
<security-role>
	<role-name>administrator</role-name>
</security-role>

and

Code: Select all

<enterprise-beans>
  <session>
    ....
    <security-role-ref>
	<role-name>superuser</role-name>
	<role-link>administrator</role-link>
    </security-role-ref> 

a user mapped to "administrator" role can access to method with @RolesAllowed("superuser")?
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.

Many thanks.

[admin]

@RolesAllowed doesn't use security-role-refs. It uses actual role names. To use names given in security-role-refs, you have to use deployment descriptor.

HTH,
Paul.

[supergiu]

So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.

[admin]

Yes, that is correct.

[himaiMinh]

I think option 4 is not correct because we cannot map EJB's "admin" role to "superuser" role or vice versa in a dd.
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>

[himaiMinh]

So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.

The value of <role-link> in <security-role-ref> is to link the role defined in EJB in dd to the role defined in <assembly-descriptor>'s <security-role> in the same dd (eg ejb-jar.xml) .

And the <security-role> in <assembly-descriptor> is refered in another vendor-specific dd (eg glassfish-ejb-jar.xml).

Keep in mind the bean provider defines roles in annotation in the code or in ejb-jar.xml.
The assembler defines roles without knowing in advanced what the bean provider defines.
Therefore, the assembler needs to use <role-link> to map the role defined by the assembler to the role defined by the bean provider.
For example, the bean provider defines a role called "superUser". Without knowing that in advance, the assembler defines the same role, but call it "admin".
Therefore, the assembler needs to use <role-link> to link "amin" to "superUser".

[himaiMinh]

In option 4, I think we can have a dd like this:
ejb-jar.xml

<session-bean>
<ejb-name>YBean</ejb-name>
....
<security-role-ref>admin</security-role-ref>
</session-bean>
<session-bean>
<ejb-name>XBean</ejb-name>
....
<security-role-ref>superuser</security-role-ref>
</session-bean>
<assembly-descriptor>
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>superuser</role-name></security-role>
</assembly-descriptor>

In a vendor specific dd, the deployer can map Bob to admin and map admin to superuser.
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)

Is it possible to do that ?