StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POJava EE 5 security annotations getting ignored on methods in glassfish v2
primarykey
Id
14155453
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2013-01-04T10:34:58.683
FavoriteCount
1
LastActivityDate
2013-01-15T12:49:54.800
LastEditDate
2013-01-15T12:49:54.800
LastEditorUserId
534858
OwnerUserId
534858
ParentId
0
PostTypeId
1
Score
3
ViewCount
740
LastEditorDisplayName
text
Body
I have a simple EE5 application with a web client and and an ejb module running glassfish 2. The security annotations in the ejbs on methods are getting ignored, but not those on class level. For example I have following bean: <pre><code> @Stateful(mappedName = "ejb/PurchaseOrderDao") @DeclareRoles("employees") @RolesAllowed(value = { "employees" }) public class PurchaseOrderDao implements PurchaseOrderDaoLocal { @Resource private EJBContext ejbContext; @DenyAll public final void add(final PurchaseOrder instance) { log.debug("Is User in Role employees: {}", ejbContext.isCallerInRole("employees")); delegate.add(instance); } [...] } </code></pre> Every user can call this method. The debug statement returns the correct value. The security constraints on web resources in the webclient defined in the web.xml are working as expected but not those defined in the annotations on mwthods. In my application.xml I am defining the realm and the roles. I am mapping them in the sun-application.xml. What can be the cause? Is it a known issue of glassfish v2? It works correctly in glassfish v3. Other resources: sun-ejb-jar.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd"> <sun-ejb-jar> <enterprise-beans> </enterprise-beans> </sun-ejb-jar> </code></pre> ejb-jar.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" version="3.0"> <display-name>ejb</display-name> </ejb-jar> </code></pre> application.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:application="http://java.sun.com/xml/ns/javaee/application_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd" id="ocea" version="5"> <display-name>ocea</display-name> <module> <ejb>ejb.jar</ejb> </module> <module> <web> <web-uri>web.war</web-uri> <context-root>ocea</context-root> </web> </module> <security-role> <description>Employees</description> <role-name>employees</role-name> </security-role> <security-role> <description>Suppliers</description> <role-name>suppliers</role-name> </security-role> <library-directory>/lib</library-directory> </application> </code></pre> sun-application.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Java EE Application 5.0//EN' 'http://www.sun.com/software/appserver/dtds/sun-application_5_0-0.dtd'> <sun-application> <security-role-mapping> <role-name>employees</role-name> <group-name>employees</group-name> </security-role-mapping> <security-role-mapping> <role-name>suppliers</role-name> <group-name>suppliers</group-name> </security-role-mapping> </sun-application> </code></pre> web.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>web</display-name>  <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/loginfailed</form-error-page> </form-login-config> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>PublicContent</web-resource-name> <description>Publically available Content needs no authorization.</description> <url-pattern>/static/*</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/loggedout</url-pattern> <url-pattern>/decorator</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Add Requests</web-resource-name> <description>accessible by employees</description> <url-pattern>/requestadd</url-pattern> <url-pattern>/requestaddreal</url-pattern> <url-pattern>/orderadd</url-pattern> </web-resource-collection> <auth-constraint> <role-name>employees</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Add Bids</web-resource-name> <description>accessible by suppliers</description> <url-pattern>/bidadd</url-pattern> </web-resource-collection> <auth-constraint> <role-name>suppliers</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Webapplication</web-resource-name> <description>accessible by authorized users</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description>For Employees and Suppliers</description> <role-name>employees</role-name> <role-name>suppliers</role-name> </auth-constraint> </security-constraint>  <ejb-local-ref> <ejb-ref-name>ejb/Dao</ejb-ref-name> <local>ejb.dao.DaoLocal</local> </ejb-local-ref>  </web-app> </code></pre>
Tags
<java><security><glassfish><java-ee-5><glassfish-2.x>
Title
Java EE 5 security annotations getting ignored on methods in glassfish v2
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USChristian
UserOwnerUserId
1. USChristian
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POJava EE 5 security annotations getting ignored on methods in glassfish v2
 UserUserId
 USChristian
 VoteTypeVoteTypeId
 VTBountyStart
2. VO
 singulars
 PostPostId
 POJava EE 5 security annotations getting ignored on methods in glassfish v2
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POJava EE 5 security annotations getting ignored on methods in glassfish v2
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COYou're saying that annotations on class level were _not_ ignored yet you also say that "Every user can call this method". If the annotation on class level worked correctly, and the one on `add` doesn't, only "employees" (not _every_ user) should be allowed to call `add`?
 singulars
 PostPostId
 POJava EE 5 security annotations getting ignored on methods in glassfish v2
 UserUserId
 USMarcel Stör
2. COIn this example this is right. But I got another example where I don't define RolesAllowed on the class level, but on the method level, and then really every user is allowed.
 singulars
 PostPostId
 POJava EE 5 security annotations getting ignored on methods in glassfish v2
 UserUserId
 USChristian

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.