users@glassfish.java.net

Security Manager fails to block ejb access

From: <glassfish_at_javadesktop.org>
Date: Wed, 23 Apr 2008 14:09:56 PDT

I've got a stand-alone swing app that connects up to a ejb module with stateless beans. As I'm now at the point of adding authentication to the application I've been trying to turn on security. But no matter what I do, I can't seem to get the security system to refuse access to the ejb module from my client. I've enabled the security manager and set a default realm (I've tried all the existing, and also made my own file realm).
      Turning on the manager does cause an access violation, but it is coming from logging calls inside the bean methods. I fixed this by adding a general grant in the server.policy file:
permission java.util.logging.LoggingPermission "control";

At first I thought this might be the problem, but it does not seem broad enough to allow indescriminate access.

The beans themselves have no permissions annotations yet.

I really can't add authentication/permissions until I can get authentication to fail...

Anybody have any ideas? (I'm using v2ur1 on 1.6.0_02)


Thanks,
Ross
[Message sent by forum member 'rycohen2000' (rycohen2000)]

http://forums.java.net/jive/thread.jspa?messageID=270830