> I've got this exasperating issue:
> 1. In a bean named "CategoryFacade" I've two
> identically annotated session bean methods
> ([b]@RolesAllowed( { "admin", "developer" })[/b]).
> One method is an 'insert' method and the other an
> 'update'. There are no other annotations on the
> method, and there is no role annotation on the
> session bean as a whole
>
> 2. I access the bean from my stand-alone swing
> client, logging in as "auser" (role=='viewer')
how does the role "viewer" relate to the roles "admin" and developer"
>
> 3. I get an access violation for the 'save' method
> (expected), and none for the 'update' method (totally
> unexpected).
>
how does the "save" method relate to the "insert" and "update" methods
> 4. In the case of both methods the SessionContext
> confirms that the user has the expected 'viewer' role
> (and [i]only[/i] that role).
>
> 5. If I connect as an admin, I can call both methods
> with no access violation (as expected).
>
> 6. If I change the access on the update method to
> "@DenyAll", it has no effect - any user/role can
> still call it.
>
> In short, it seems like the 'update' method's
> annotations are invisible to the security system.
> And this at the same time as identical annotations
> and roles work fine on other methods in the same
> session bean.
>
> Any ideas on what could be causing this? - Or how
> to fix it?
>
take a look at your applications policy files under domains/domainx/generated/policy/app-name
the denies will be in a file called excluded.policy
the granted permissions will be in a file called granted.policy
principal-2-role mapping happends before the policy file is written, so you will see grant statements for each of the principals granted to the role.
Ron
> Thanks,
> Ross
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=271874