Google Site Search

Google
 

Monday, February 8, 2010

Tip: Interpretation of missing EJB Method Permissions in JBoss

The EJB 2.1 specs on this case says:

"It is possible that some methods are not assigned to any security roles nor contained in the exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked."

What this basically means is that if you have not specifically assigned method permissions or made them "unchecked", then it is left to the vendor's interpretation.

Default interpretation of missing method permissions in JBoss is "excluded" mode.


Based on JBAS-2471, we have incorporated a jboss.xml setting that will provide the appropriate interpretation of missing method permissions - whether to interpret them as "exclude" or "unchecked".

=======================================

<!-- The missing-method-permissions-excluded-mode determines the treatment
of missing method-permission mappings in the ejb-jar descriptor. The ejb 2.1
spec states: "It is possible that some methods are not assigned to any security
roles nor contained in the exclude-list element. In this case, it is the
responsibility of the Deployer to assign method permissions for all of the
unspecified methods, either by assigning them to security roles, or by marking
them as unchecked." The missing-method-permissions-excluded-mode is a boolean
that allows the deployer to globally indicate that all methods without a
method-permission element should be treated as excluded(= true and the default),
or that methods without a method-permission element should be treated as
unchecked(= false)

<missing-method-permissions-excluded-mode>true</missing-method-permissions-excluded-mode>
<missing-method-permissions-excluded-mode>false</missing-method-permissions-excluded-mode>

-->
<!ELEMENT missing-method-permissions-excluded-mode (#PCDATA)&rt;
===========================

First Case:
In the first case, if you specify:
<missing-method-permissions-excluded-mode>true</missing-method-permissions-excluded-mode>


in your jboss.xml, then all methods that do not have an associated method-permission are excluded from the deployment.

Second Case:
In the second case, if you specify:
<missing-method-permissions-excluded-mode>false</missing-method-permissions-excluded-mode>

in your jboss.xml. then all methods that do not have an associated method-permission are operating in an unchecked mode.

Reference:
1. Discussion on ejb3 interpretation of this flag. (Under investigation)
2. Default setting in standardjboss.xml

1 comment:

Josef Cacek said...

The EJB 3.1 specs on this case says:

17.3.2.3 Unspecified Method Permissions
It is possible that some methods are not assigned to any security roles nor annotated as DenyAll or contained in the exclude-list element. In this case, the Deployer should assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked. If the Deployer does not assigned method permissions to the unspecified methods, those methods must be treated by the container as unchecked.


IMO it says, we should not use the exclude list for such methods, but the unchecked list.