Enthuware

Posted: **Sat May 28, 2011 10:46 am**

Why the option number 1 is not correct? I thought that both the 1 and 3 option is correct.

Posted: **Sun May 29, 2011 4:52 pm**

You can't map a user to multiple roles.

Posted: **Sun Jan 15, 2012 3:28 am**

Re: You can't map a user to multiple roles.

Is this specified in the spec? Because GlassFish v3.1 seems to allow a single user to be mapped to multiple roles, by including something like the following in the sun-web.xml DD:

Code: Select all

<security-role-mapping>
	<role-name>superusers</role-name>
	<principal-name>goetz</principal-name>
</security-role-mapping>
<security-role-mapping>
	<role-name>plainusers</role-name>
	<group-name>plain-users</group-name>
</security-role-mapping>
<security-role-mapping>
	<role-name>admin</role-name>
	<principal-name>goetz</principal-name>
</security-role-mapping>

Using the GlassFish admin console I associated "goetz" to the "plain-users" group only. However with the above DD and by adding "@DeclareRoles({ "superusers", "plainusers", "admin" })" to my EJB, I was able to confirm in the EJB that user "goetz" is in all three roles (by using ctx.isCallerInRole).

Maybe this is a vendor-specific feature, but does the spec explicitly recommend/mandate that a user can only be mapped to one role?

Posted: **Mon Jan 16, 2012 9:29 am**

The EJB 3.1 specification doesn't mention anything about how user principals are mapped to a role. But after reading the following statement from Java EE Platform Specification 6, I now think it should be possible to map a use to to multiple roles.

Section EE.3.2:
The container’s evaluation stops with an “is authorized” outcome when the container is able to map the caller’s credential to a role.

The question has been corrected accordingly.

thank you for your feedback,
Paul.

Posted: **Thu Sep 06, 2012 5:13 am**

I got confused by the first word "map" in this answer:
"Create a role named administrator and map admin and superuser to this role then map user Bob to administrator role."

Mapping "user" to a "role" is is quite often used in EE-terms. Mapping a "role" to a "role" is something that is often explained as linking.

I assume you meant to say:
"Create a role named administrator and link the roles admin and superuser to this role then map user Bob to administrator role."

like this in the deployment descriptor:

Code: Select all

<assembly-descriptor>
...
<enterprise-beans>
  <session>
     <ejb-name>XBean</ejb-name>
     <ejb-class>com.aardvark.XBean</ejb-class>
     <session-type>Stateless</session-type>
     <security-role-ref>
        <description>superuser used in the code is an administrator in the ear</description>
        <role-name>superuser</role-name>
        <role-link>administrator</role-link>  
     </security-role-ref>
  </session>
 <session>
     <ejb-name>YBean</ejb-name>
     <ejb-class>com.cow.YBean</ejb-class>
     <session-type>Stateless</session-type>
     <security-role-ref>
        <description>admin used in the code is an administrator in the ear</description>
        <role-name>admin</role-name>
        <role-link>administrator</role-link>  
     </security-role-ref>
  </session>
</enterprise-beans>
...
<security-role>
     <role-name>administrator</role-name>
</security-role>
...
</assembly-descriptor>

Regards,
Frits

Posted: **Sun Sep 09, 2012 3:22 pm**

Hi Frits,
Map has been changed to link in this case.

thank you for your feedback!
Paul.

Posted: **Mon Oct 15, 2012 12:49 pm**

Possible typo: "preffered approach" should be "preferred approach" in answer three.

Posted: **Mon Oct 15, 2012 1:05 pm**

Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).

Posted: **Tue Oct 16, 2012 4:04 pm**

tobias.gaenzler wrote:Missing explanation for answer four:
Answer four (Map user Bob to admin role and map superuser role to admin role.) is missing an explanation.
In my opinion it should work, but you essentially you have two names for the same security role (superuser = admin).

Option 4 is not correct because there is no role named "admin" in the system. There is a role named "administrator" to which "Bob" belongs. So creating a role admin and linking superuser to admin is not enough.

HTH,
Paul.

Posted: **Sat Jun 29, 2013 11:05 am**

You say you changed to question to reflect that a user can indeed be mapped to several roles, but why is answer 1 still wrong then?

Posted: **Thu Sep 12, 2013 2:49 am**

"Option 4 is not correct because there is no role named "admin" in the system."

eh? it says: @RolesAllowed("admin"), hence there is a role named "admin" in the system?

Posted: **Thu Sep 12, 2013 8:22 am**

I don't see that explanation in option 4. It is not correct because you cannot map one role to another role.

HTH,
Paul.

Posted: **Sun Oct 05, 2014 9:43 am**

Hi,
i'm little confused about this sentence:

Create a role named administrator and link admin and superuser to this role then map user Bob to administrator role.

So, having this on ejb-jar:

Code: Select all

<assembly-descriptor>
<security-role>
	<role-name>administrator</role-name>
</security-role>

and

Code: Select all

<enterprise-beans>
  <session>
    ....
    <security-role-ref>
	<role-name>superuser</role-name>
	<role-link>administrator</role-link>
    </security-role-ref>

a user mapped to "administrator" role can access to method with @RolesAllowed("superuser")?
I've just tested it on weblogic server and i get javax.ejb.EJBAccessException.

Many thanks.

Posted: **Sun Oct 05, 2014 9:53 am**

@RolesAllowed doesn't use security-role-refs. It uses actual role names. To use names given in security-role-refs, you have to use deployment descriptor.

HTH,
Paul.

Posted: **Mon Oct 06, 2014 5:55 am**

So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.

Posted: **Mon Oct 06, 2014 11:12 am**

Yes, that is correct.

Posted: **Wed Apr 22, 2015 6:58 pm**

I think option 4 is not correct because we cannot map EJB's "admin" role to "superuser" role or vice versa in a dd.
But you can map a EJB's role to the operating environment role:
For example, in GlassFish, you have a group called administors. In your EJB, you have a role called "admin".
In the vendor specific dd, we can do this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>administors</group-name>
</security-role-mapping>

Posted: **Thu Apr 23, 2015 9:50 am**

supergiu wrote:So, the a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?

Thanks.

The value of <role-link> in <security-role-ref> is to link the role defined in EJB in dd to the role defined in <assembly-descriptor>'s <security-role> in the same dd (eg ejb-jar.xml) .

And the <security-role> in <assembly-descriptor> is refered in another vendor-specific dd (eg glassfish-ejb-jar.xml).

Keep in mind the bean provider defines roles in annotation in the code or in ejb-jar.xml.
The assembler defines roles without knowing in advanced what the bean provider defines.
Therefore, the assembler needs to use <role-link> to map the role defined by the assembler to the role defined by the bean provider.
For example, the bean provider defines a role called "superUser". Without knowing that in advance, the assembler defines the same role, but call it "admin".
Therefore, the assembler needs to use <role-link> to link "amin" to "superUser".

Posted: **Mon Jun 15, 2015 6:39 pm**

In option 4, I think we can have a dd like this:
ejb-jar.xml

<session-bean>
<ejb-name>YBean</ejb-name>
....
<security-role-ref>admin</security-role-ref>
</session-bean>
<session-bean>
<ejb-name>XBean</ejb-name>
....
<security-role-ref>superuser</security-role-ref>
</session-bean>
<assembly-descriptor>
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>superuser</role-name></security-role>
</assembly-descriptor>

In a vendor specific dd, the deployer can map Bob to admin and map admin to superuser.
(Since mapping a principal to a logical role defined by the application assembler/bean provider is server specific, the EJB spec does not define how the deployer will do the mapping.)

Is it possible to do that ?

Enthuware

About Question enthuware.oce-ejbd.v6.2.614 :

About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :

Re: About Question enthuware.oce-ejbd.v6.2.614 :