Something I've just noticed too:
Note the changes in curly braces in @RolesAllowed, this only seems to be the case when only one role is specified.
When the annotation is specified like this:
[code]@RolesAllowed({"application_assets_admin"})[/code]
The following entry appears in the blanket grant statement in the granted.policy file:
[code]
grant {
...
permission javax.security.jacc.EJBMethodPermission "AssetManagerEJB", "getAssetList,Local,java.lang.String";
...
};
[/code]
When the annotation is specified like this:
[code]@RolesAllowed("application_assets_admin")[/code]
The entry then appears in the proper grant I would expect:
[code]
grant principal com.sun.enterprise.deployment.Group "Operations_Engineering_Developer" {
...
permission javax.security.jacc.EJBMethodPermission "AssetManagerEJB", "getAssetList,Local,java.lang.String";
...
};
[/code]
It seems to me that test1 I would be allowed through in the case above, but not the case below. However test1 is still being allowed access to the method:
[code]
JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = AssetManagerEJB (Action) = getAssetList,Local,java.lang.String
JACC: returning cached ProtectionDomain - CodeSource: ((file:/intranet/intranet-ejb_jar <no signer certificates>)) PrincipalSet: test1 Operations Operations_Engineering
JACC: Changing Policy Context ID: oldV = intranet/intranet-war_war newV = intranet/intranet-ejb_jar
JACC: Changing Policy Context ID: oldV = intranet/intranet-ejb_jar newV = intranet/intranet-war_war
JACC: Access Control Decision Result: true EJBMethodPermission (Name) = AssetManagerEJB (Action) = getAssetList,Local,java.lang.String (Caller) = test1
[/code]
isCallerInRole seems to disagre:
[code]
JACC: Changing Policy Context ID: oldV = intranet/intranet-war_war newV = intranet/intranet-ejb_jar
ENTRY application_assets_admin
JACC: returning cached ProtectionDomain - CodeSource: ((file:/intranet/intranet-ejb_jar <no signer certificates>)) PrincipalSet: test1 Operations Operations_Engineering
JACC Policy Provider: PolicyWrapper.getPermissions(d), context (intranet/intranet-ejb_jar) permissions: java.security.Permissions_at_19c384e (
JACC Policy Provider: PolicyWrapper.implies, context(intranet/intranet-ejb_jar)- permission((javax.security.jacc.EJBRoleRefPermission AssetManagerEJB application_assets_admin)) domain that failed(Pr
otectionDomain (file:/intranet/intranet-ejb_jar <no signer certificates>)
JACC Policy Provider: PolicyWrapper.implies, context (intranet/intranet-ejb_jar)- result was(false) permission ((javax.security.jacc.EJBRoleRefPermission AssetManagerEJB application_assets_admin))
JACC: isCallerInRole Result: false EJBRoleRefPermission (Name) = AssetManagerEJB (Action) = application_assets_admin (Codesource) = (file:/intranet/intranet-ejb_jar <no signer certificates>)
JACC: Changing Policy Context ID: oldV = intranet/intranet-ejb_jar newV = intranet/intranet-war_war
[/code]
[Message sent by forum member 'jeffreyrodriguez' (jeffreyrodriguez)]
http://forums.java.net/jive/thread.jspa?messageID=218448