About Question enthuware.oce-ejbd.v6.2.614 :

All the posts and topics that contain only an error report will be moved here after the error is corrected. This is to ensure that when users view a question in ETS Viewer, the "Discuss" button will not indicate the presence of a discussion that adds no value to the question.

Moderators: Site Manager, fjwalraven

Post Reply
jszczepankiewicz

About Question enthuware.oce-ejbd.v6.2.614 :

Post by jszczepankiewicz »

Why the option number 1 is not correct? I thought that both the 1 and 3 option is correct.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

You can't map a user to multiple roles.
If you like our products and services, please help us by posting your review here.

goetz

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by goetz »

Re: You can't map a user to multiple roles.

Is this specified in the spec? Because GlassFish v3.1 seems to allow a single user to be mapped to multiple roles, by including something like the following in the sun-web.xml DD:

Code: Select all

<security-role-mapping>
	<role-name>superusers</role-name>
	<principal-name>goetz</principal-name>
</security-role-mapping>
<security-role-mapping>
	<role-name>plainusers</role-name>
	<group-name>plain-users</group-name>
</security-role-mapping>
<security-role-mapping>
	<role-name>admin</role-name>
	<principal-name>goetz</principal-name>
</security-role-mapping>
Using the GlassFish admin console I associated "goetz" to the "plain-users" group only. However with the above DD and by adding "@DeclareRoles({ "superusers", "plainusers", "admin" })" to my EJB, I was able to confirm in the EJB that user "goetz" is in all three roles (by using ctx.isCallerInRole).

Maybe this is a vendor-specific feature, but does the spec explicitly recommend/mandate that a user can only be mapped to one role?

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

The EJB 3.1 specification doesn't mention anything about how user principals are mapped to a role. But after reading the following statement from Java EE Platform Specification 6, I now think it should be possible to map a use to to multiple roles.
Section EE.3.2:
The container’s evaluation stops with an “is authorized” outcome when the container is able to map the caller’s credential to a role.
The question has been corrected accordingly.

thank you for your feedback,
Paul.
If you like our products and services, please help us by posting your review here.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by fjwalraven »

I got confused by the first word "map" in this answer:
"Create a role named administrator and map admin and superuser to this role then map user Bob to administrator role."

Mapping "user" to a "role" is is quite often used in EE-terms. Mapping a "role" to a "role" is something that is often explained as linking.

I assume you meant to say:
"Create a role named administrator and link the roles admin and superuser to this role then map user Bob to administrator role."

like this in the deployment descriptor:

Code: Select all

<assembly-descriptor>
...
<enterprise-beans>
  <session>
     <ejb-name>XBean</ejb-name>
     <ejb-class>com.aardvark.XBean</ejb-class>
     <session-type>Stateless</session-type>
     <security-role-ref>
        <description>superuser used in the code is an administrator in the ear</description>
        <role-name>superuser</role-name>
        <role-link>administrator</role-link>  
     </security-role-ref>
  </session>
 <session>
     <ejb-name>YBean</ejb-name>
     <ejb-class>com.cow.YBean</ejb-class>
     <session-type>Stateless</session-type>
     <security-role-ref>
        <description>admin used in the code is an administrator in the ear</description>
        <role-name>admin</role-name>
        <role-link>administrator</role-link>  
     </security-role-ref>
  </session>
</enterprise-beans>
...
<security-role>
     <role-name>administrator</role-name>
</security-role>
...
</assembly-descriptor>

Regards,
Frits

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

Hi Frits,
Map has been changed to link in this case.

thank you for your feedback!
Paul.
If you like our products and services, please help us by posting your review here.

tobias.gaenzler

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by tobias.gaenzler »

Possible typo: "preffered approach" should be "preferred approach" in answer three.

tobias.gaenzler

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by tobias.gaenzler »

Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

tobias.gaenzler wrote:Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).
Option 4 is not correct because there is no role named "admin" in the system. There is a role named "administrator" to which "Bob" belongs. So creating a role admin and linking superuser to admin is not enough.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

Lommelygte
Posts: 2
Joined: Thu Jun 27, 2013 9:32 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by Lommelygte »

You say you changed to question to reflect that a user can indeed be mapped to several roles, but why is answer 1 still wrong then?

kingSnake
Posts: 1
Joined: Thu Sep 12, 2013 2:46 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by kingSnake »

"Option 4 is not correct because there is no role named "admin" in the system."

eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

I don't see that explanation in option 4. It is not correct because you cannot map one role to another role.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

supergiu
Posts: 8
Joined: Thu Sep 25, 2014 2:48 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by supergiu »

Hi,
i'm little confused about this sentence:
Create a role named administrator and link admin and superuser to this role then map user Bob to administrator role.
So, having this on ejb-jar:

Code: Select all

<assembly-descriptor>
<security-role>
	<role-name>administrator</role-name>
</security-role>
and

Code: Select all

<enterprise-beans>
  <session>
    ....
    <security-role-ref>
	<role-name>superuser</role-name>
	<role-link>administrator</role-link>
    </security-role-ref> 
a user mapped to "administrator" role can access to method with @RolesAllowed("superuser")?
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.

Many thanks.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

@RolesAllowed doesn't use security-role-refs. It uses actual role names. To use names given in security-role-refs, you have to use deployment descriptor.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

supergiu
Posts: 8
Joined: Thu Sep 25, 2014 2:48 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by supergiu »

So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by admin »

Yes, that is correct.
If you like our products and services, please help us by posting your review here.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by himaiMinh »

I think option 4 is not correct because we cannot map EJB's "admin" role to "superuser" role or vice versa in a dd.
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by himaiMinh »

supergiu wrote:So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.
The value of <role-link> in <security-role-ref> is to link the role defined in EJB in dd to the role defined in <assembly-descriptor>'s <security-role> in the same dd (eg ejb-jar.xml) .

And the <security-role> in <assembly-descriptor> is refered in another vendor-specific dd (eg glassfish-ejb-jar.xml).

Keep in mind the bean provider defines roles in annotation in the code or in ejb-jar.xml.
The assembler defines roles without knowing in advanced what the bean provider defines.
Therefore, the assembler needs to use <role-link> to map the role defined by the assembler to the role defined by the bean provider.
For example, the bean provider defines a role called "superUser". Without knowing that in advance, the assembler defines the same role, but call it "admin".
Therefore, the assembler needs to use <role-link> to link "amin" to "superUser".

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Post by himaiMinh »

In option 4, I think we can have a dd like this:
ejb-jar.xml
<session-bean>
<ejb-name>YBean</ejb-name>
....
<security-role-ref>admin</security-role-ref>
</session-bean>
<session-bean>
<ejb-name>XBean</ejb-name>
....
<security-role-ref>superuser</security-role-ref>
</session-bean>
<assembly-descriptor>
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>superuser</role-name></security-role>
</assembly-descriptor>
In a vendor specific dd, the deployer can map Bob to admin and map admin to superuser.
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)

Is it possible to do that ?

Post Reply

Who is online

Users browsing this forum: No registered users and 29 guests