Skip to main content

Clarification on EJBContext#isCallerInRole(String)

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
ljnelson
Offline
Joined: 2003-08-04

The EJB specification and the Javadoc for EJBContext both say that its
isCallerInRole() method is permitted to throw an IllegalStateException if
the caller is not allowed to call the method. The context surrounding these
statements implies this is to ward off calling this method when you're not
in a security context, and that makes sense.

Glassfish's implementation also throws an IllegalStateException when you
call this method in a valid context, but if you pass it a role name that the
application doesn't know about. So if I say:

ejbContext.isCallerInRole("foobar");

...and have never done a @DeclareRoles({ "foobar" }) or the deployment
descriptor equivalent, this call will not return false, but will throw an
IllegalStateException.

This seems wrong to me. I suppose strictly speaking it's OK--indeed, I'm
not supposed to call this method with a String that is not a valid role
name, but...would it kill this method to simply return false? Can anyone
comment?

Thanks,
Laird

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ljnelson
Offline
Joined: 2003-08-04

On Mon, Aug 8, 2011 at 6:55 PM, Laird Nelson wrote:

> This seems wrong to me. I suppose strictly speaking it's OK--indeed, I'm
> not supposed to call this method with a String that is not a valid role
> name, but...would it kill this method to simply return false?
>

Enhancement/bug filed: http://java.net/jira/browse/GLASSFISH-17169

Best,
Laird