Hi
We use appserver 8.2 and a LDAP catalog with roles and users.
All our SLSB are protected, as default by a role "user".
We also have some method that are [b]only allowe[/b]d to be accessed by certain other roles ie role web that is only used from webservices. We need to narrow the access rights. If an enduser tries to access a method and do not have the role the protection works and we get a "no permission exception".
[b]BUT[/b]
Method A in SLSB AA grants permission to role web
Method B in SLSB BB grants permission to roles user and web
Method C in SLSB BB grants permission to role restricteduser
A calls B calls C
Before entring A the appserver checks the roles ( I have tried that by not having the role web assigned to me) and the protection works.
The same goes for method B, I have checked it by not having the role web allowed for the method.
When trying to access C there is no check that the user have the role restricteduser so a user with only role web is allowed to enter the method. If I check with isCallerInRole i can see that the user do not have the role restricteduser.
Is the check against role on method entry not done if the call is not thru the servicefacade ?
If so is there no way to garantee that a user is not allowed to execute code in a method if the call is local !?. (Ok you can use isCallerInRole but declarative is nicer :-) )
I have checked the deployd xml-files and the methods do have the roles described above.
TIA
Jan
[Message sent by forum member 'pliktverket' (pliktverket)]
http://forums.java.net/jive/thread.jspa?messageID=328970