Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security Problem in weblogic

493 views
Skip to first unread message

Suni

unread,
May 18, 2005, 12:44:18 AM5/18/05
to
Something related to security in weblogic. The error trace is as
follows...

java.rmi.AccessException: [EJB:010160]Security Violation: User:
'<anonymous>' has insufficient permission to access EJB: type=<ejb>,
application=jmetro, module=jmetro.jar, ejb=MySessionBean,
method=create, methodInterface=Home, signature={}.
at
weblogic.ejb20.internal.MethodDescriptor.checkMethodPermissionsRemote(MethodDescriptor.java:550)
at
weblogic.ejb20.internal.StatelessEJBHome.create(StatelessEJBHome.java:157)
at
com.sunny.metro.server.ejb.MySessionBean_tc67pu_HomeImpl.create(MySessionBean_tc67pu_HomeImpl.java:66)
at
com.sunny.metro.timer.StartTimerServlet.init(StartTimerServlet.java:35)


The scenario is as follows..

I have a servlet. In its init() method, I am accessing a session
bean(MySessionBean) to perform some functionaity..
public void init(ServletConfig config) throws ServletException {
super.init(config);
System.out.println("%%%%%% This is invoking the servlet %%%%%%");
mySessionHome = Session.getMySessionHome();
try {
mySession = mySessionHome.create();
mySession.createTimer();
} catch (RemoteException e) {
e.printStackTrace();
} catch (CreateException e) {
e.printStackTrace();
}
}

I put some method permissions for this session bean for the method
create in ejb-jar.xml.

The ejb-jar.xml excerpt for the MySessionBean..
<session id="MySessionBean">
<display-name>MySessionBean</display-name>
<ejb-name>MySessionBean</ejb-name>
<home>com.sunny.metro.server.ejb.MySessionHome</home>
<remote>com.sunny.metro.server.ejb.MySession</remote>

<ejb-class>com.sunny.metro.server.ejb.MySessionBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>MetroAdmin</role-name>
<role-link>AWSAdmin</role-link>
<!--Comment the above line and uncomment the following
line for "All Users are Admin" mode
<role-link>AWSUser</role-link>
-->
</security-role-ref>
<security-role-ref>
<role-name>MetroDesigner</role-name>
<role-link>AWSDesigner</role-link>
</security-role-ref>
</session>

...
<method-permission>
<role-name>AWSAdmin</role-name>
<role-name>AWSDesigner</role-name>
<!-- Uncomment the following line for "All Users are Admin"
mode
<role-name>AWSUser</role-name>
-->
<method>
<ejb-name>MySessionBean</ejb-name>
<method-name>create</method-name>
</method>
</method-permission>
The servlet's web.xml...
<web-app>
<servlet>
<servlet-name>StartTimerServlet</servlet-name>
<display-name>Timer</display-name>
<description>This is to Start the Timer</description>

<servlet-class>com.sunny.metro.timer.StartTimerServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<run-as>
<role-name>AWSAdmin</role-name>
</run-as>
</servlet>
<servlet-mapping>
<servlet-name>StartTimerServlet</servlet-name>
<url-pattern>/servlets/JMetroTimer</url-pattern>
</servlet-mapping>
<security-role>
<description>Administrator</description>
<role-name>AWSAdmin</role-name>
</security-role>
</web-app>

And weblogic.xml is ...

<weblogic-web-app>

<security-role-assignment>
<role-name>AWSAdmin</role-name>
<principal-name>system</principal-name>
</security-role-assignment>

<run-as-role-assignment>
<role-name>AWSAdmin</role-name>
<run-as-principal-name>system</run-as-principal-name>
</run-as-role-assignment>

</weblogic-web-app>

Please let me know if this is a known issue in weblogic or I am missing
something. BTW I am using weblogic90b.

Thanks,
Suni.

0 new messages