glassfish
  1. glassfish
  2. GLASSFISH-17169

EJBContext#isCallerInRole(String) should not throw IllegalStateException when passed bad role

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Works as designed
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Component/s: ejb_container, security
    • Labels:
      None

      Description

      EJBContext#isCallerInRole(String) is documented to be allowed to throw an IllegalStateException when the caller is not in a state to be allowed to call the method (i.e. if the method is called outside of a security context).

      Glassfish's implementation uses this vague wording to mean that isCallerInRole() should also throw an IllegalStateException when it is handed a role name that Glassfish doesn't know anything about.

      I've filed this as an enhancement since I don't really know whether strictly speaking this is a specification violation or not. But to my eyes if I call someEjbContext.isCallerInRole("fred") I should get true or false, without the danger of an IllegalStateException (provided of course I'm actually calling this method from within an EJB business method).

        Activity

        Hide
        Cheng Fang added a comment -

        See another related issue: http://java.net/jira/browse/GLASSFISH-10779

        EJBContext javadocs says:
        roleName - The name of the security role. The role must be one of the security roles that is defined in the deployment descriptor.

        Throws:
        IllegalStateException - The Container throws the exception if the instance is not allowed to call this method.

        -------
        The current implementation is compliant. If false is returned in this case, the user can't tell whether the caller is in a valid role, or the role does not exist.

        Show
        Cheng Fang added a comment - See another related issue: http://java.net/jira/browse/GLASSFISH-10779 EJBContext javadocs says: roleName - The name of the security role. The role must be one of the security roles that is defined in the deployment descriptor. Throws: IllegalStateException - The Container throws the exception if the instance is not allowed to call this method. ------- The current implementation is compliant. If false is returned in this case, the user can't tell whether the caller is in a valid role, or the role does not exist.

          People

          • Assignee:
            marina vatkina
            Reporter:
            ljnelson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: