Hi
I have managed to reduse the problem a bit.
We are using XDoclet to generate a lot of code so the @ejb.permission is the XDoclet way to say that the role "User" is required to access the method, @service.facade-method says the method are part of the generated servicefacade.
I have checked the deployd XML-files that everything is correct.
In SLSB AA there are two methods :
[i] // the method checks if a person with key lives at a secure location and that is OK to ask for any user in on system
@ejb.permission role-name="User"
@service.facade-method[/i]
[b]public boolean existAdress (key) [/b]
{
[i] // it delegates this to[/i]
Map adressMap = readAdress (key)
[i]//if the map contains anything it returns true otherwise false[/i]
}
[i]The method returns the adress of the secret location, only allowed for previleged users with role "Adress"[/i]
[i]@ejb.permission role-name="Adress"[/i]
@service.facade-method[/i]
[b]public Map readAdress (key)[/b]
{
[i]// Find the entity with a finder-method and return the adress[/i]
}
I created two testcases that I run in one run, first test calls existAdress and the second calls readAdress.
The user have ONLY role "User" in the LDAP-catalog.
A call to readAdress gives a
org.omg.CORBA.NO_PERMISSION caused by....
javax.ejb.AccessLocalException Client not authorized for this invocation.
This is the expected behavour.
When calling existAdress everything completes - witch I think is wrong as the method readAdress only shoud allow users with role "Adress"
Have I missunderstod how role-based sequrity on method level should work ?
Jan
PS
The system is not connected to the Internet that's the reason I don't have attached any files. It is a bit tricky to get the files for publishing but if you need the files I WILL get them :-)
DS
[Message sent by forum member 'pliktverket' (pliktverket)]
http://forums.java.net/jive/thread.jspa?messageID=329233