glassfish
  1. glassfish
  2. GLASSFISH-20036

EJB's declaration of roles used in role references

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: 4.0_b85
    • Component/s: security
    • Labels:
      None

      Description

      The EJB spec requires that role references be declared either by annotation (@DeclareRole or @RolesAllowed) or by security-role-ref within the EJB deployment descriptor. The EJB sepc does not consider the definition of a security-role within the EJB deployment descriptor, as an implicit declaration of a corresponding security-role-ref for the role (given that the security-role-ref has not otherwise been declared).

        Activity

        Hide
        Craig Perez added a comment -

        There are couple areas to address:

        • Adding of the EJBRoleRefPermission grants
        • Handling of the IllegalStateException when invoking isCallerInRole()
        Show
        Craig Perez added a comment - There are couple areas to address: Adding of the EJBRoleRefPermission grants Handling of the IllegalStateException when invoking isCallerInRole()
        Hide
        Craig Perez added a comment -
        • What is the impact on the customer of the bug?

        Existing EJB security-role-ref handling not conformant with
        JACC 1.5 and EJB 3.2 specifications

        • What is the cost/risk of fixing the bug?

        Small, the code changes update EJB role reference handling
        and remove exceptions thrown when role references where
        not found to be declared at run-time.

        • Is there an impact on documentation or message strings?

        No

        • Which tests should QA (re)run to verify the fix did not destabilize GlassFish?

        CTS7 JACC TCK, EJB tests

        • Which is the targeted build of 4.0 for this fix?

        b85

        • If this an integration of a new version of a component from another project,
          what are the changes that are being brought in? This might be list of
          Jira issues from that project or a list of revision messages.

        N/A

        Show
        Craig Perez added a comment - What is the impact on the customer of the bug? Existing EJB security-role-ref handling not conformant with JACC 1.5 and EJB 3.2 specifications What is the cost/risk of fixing the bug? Small, the code changes update EJB role reference handling and remove exceptions thrown when role references where not found to be declared at run-time. Is there an impact on documentation or message strings? No Which tests should QA (re)run to verify the fix did not destabilize GlassFish? CTS7 JACC TCK, EJB tests Which is the targeted build of 4.0 for this fix? b85 If this an integration of a new version of a component from another project, what are the changes that are being brought in? This might be list of Jira issues from that project or a list of revision messages. N/A
        Hide
        Tom Mueller added a comment -

        Approved for 4.0.

        Show
        Tom Mueller added a comment - Approved for 4.0.
        Hide
        Craig Perez added a comment -

        [glassfish~svn:61324] GLASSFISH-20036 - EJB's declaration of roles used in role references

        Project: glassfish
        Repository: svn
        Revision: 61324
        Author: crperez
        Date: 2013-04-10 15:12:58 UTC
        Link:

        Log Message:
        ------------
        GLASSFISH-20036 - EJB's declaration of roles used in role references

        • Add handling of EJBRoleRefPermission based on security-role declarations
        • Remove exception for isCallerInRole() when security-role-ref not decalred
          Reviewed by Ron Monzillo, Marina Vatkina
          Passed JACC TCK, QuickLook, findbugs, CTS smoke, devtests EJB Web Admin

        Revisions:
        ----------
        61324

        Modified Paths:
        ---------------
        trunk/main/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java
        trunk/main/appserver/ejb/ejb-full-container/src/main/java/org/glassfish/ejb/mdb/MessageBeanContextImpl.java
        trunk/main/appserver/ejb/ejb-container/src/main/java/com/sun/ejb/containers/EJBContextImpl.java

        Show
        Craig Perez added a comment - [glassfish~svn:61324] GLASSFISH-20036 - EJB's declaration of roles used in role references Project: glassfish Repository: svn Revision: 61324 Author: crperez Date: 2013-04-10 15:12:58 UTC Link: Log Message: ------------ GLASSFISH-20036 - EJB's declaration of roles used in role references Add handling of EJBRoleRefPermission based on security-role declarations Remove exception for isCallerInRole() when security-role-ref not decalred Reviewed by Ron Monzillo, Marina Vatkina Passed JACC TCK, QuickLook, findbugs, CTS smoke, devtests EJB Web Admin Revisions: ---------- 61324 Modified Paths: --------------- trunk/main/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java trunk/main/appserver/ejb/ejb-full-container/src/main/java/org/glassfish/ejb/mdb/MessageBeanContextImpl.java trunk/main/appserver/ejb/ejb-container/src/main/java/com/sun/ejb/containers/EJBContextImpl.java
        Hide
        Craig Perez added a comment -

        [glassfish~svn:61325] GLASSFISH-20036 - Add in the devtest cases based on security-role-ref han

        Project: glassfish
        Repository: svn
        Revision: 61325
        Author: crperez
        Date: 2013-04-10 15:14:50 UTC
        Link:

        Log Message:
        ------------
        GLASSFISH-20036 - Add in the devtest cases based on security-role-ref handling

        • any authenticated user role not declared explictly
        • role references to security roles not required

        Revisions:
        ----------
        61325

        Modified Paths:
        ---------------
        trunk/v2/appserv-tests/devtests/security/jaccmr8/client/Client.java
        trunk/v2/appserv-tests/devtests/security/jaccmr8/ejb/HelloStatefulEJB.java
        trunk/v2/appserv-tests/devtests/security/jaccmr8/ejb/HelloEJB.java
        trunk/v2/appserv-tests/devtests/security/jaccmr8/descriptor/ejb-jar.xml

        Show
        Craig Perez added a comment - [glassfish~svn:61325] GLASSFISH-20036 - Add in the devtest cases based on security-role-ref han Project: glassfish Repository: svn Revision: 61325 Author: crperez Date: 2013-04-10 15:14:50 UTC Link: Log Message: ------------ GLASSFISH-20036 - Add in the devtest cases based on security-role-ref handling any authenticated user role not declared explictly role references to security roles not required Revisions: ---------- 61325 Modified Paths: --------------- trunk/v2/appserv-tests/devtests/security/jaccmr8/client/Client.java trunk/v2/appserv-tests/devtests/security/jaccmr8/ejb/HelloStatefulEJB.java trunk/v2/appserv-tests/devtests/security/jaccmr8/ejb/HelloEJB.java trunk/v2/appserv-tests/devtests/security/jaccmr8/descriptor/ejb-jar.xml
        Hide
        Craig Perez added a comment -

        [glassfish~svn:61366] GLASSFISH-20036 - Remove commented code blocks

        Project: glassfish
        Repository: svn
        Revision: 61366
        Author: crperez
        Date: 2013-04-11 17:01:48 UTC
        Link:

        Log Message:
        ------------
        GLASSFISH-20036 - Remove commented code blocks

        Revisions:
        ----------
        61366

        Modified Paths:
        ---------------
        trunk/main/appserver/ejb/ejb-full-container/src/main/java/org/glassfish/ejb/mdb/MessageBeanContextImpl.java
        trunk/main/appserver/ejb/ejb-container/src/main/java/com/sun/ejb/containers/EJBContextImpl.java

        Show
        Craig Perez added a comment - [glassfish~svn:61366] GLASSFISH-20036 - Remove commented code blocks Project: glassfish Repository: svn Revision: 61366 Author: crperez Date: 2013-04-11 17:01:48 UTC Link: Log Message: ------------ GLASSFISH-20036 - Remove commented code blocks Revisions: ---------- 61366 Modified Paths: --------------- trunk/main/appserver/ejb/ejb-full-container/src/main/java/org/glassfish/ejb/mdb/MessageBeanContextImpl.java trunk/main/appserver/ejb/ejb-container/src/main/java/com/sun/ejb/containers/EJBContextImpl.java

          People

          • Assignee:
            Craig Perez
            Reporter:
            Craig Perez
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: