Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3422

@RolesAllowed @DenyAll on EJBs does not work

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 7.1.0.CR1b
    • EJB
    • None

    Description

      I've a war within EJBs. Annotating an EJB method with @RolesAllowed or @DenyAll does not work as expected - method is executed even if the roles does not match.
      I also added @SecurityDomain annotation, which did not change the behaviour.

      EJBContext getCallerPrincipal() returns the correct (authenticated) principal, and isCallerInRole() works fine, but not @RolesAllowed

      jboss-web.xml:
      <jboss-web><security-domain>formauth</security-domain></jboss-web>

      Here's the security-domain part of standalone.xml, which is referenced in the war:
      <security-domain name="formauth" cache-type="default">
      <authentication>
      <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="defaultUsers.properties"/>
      <module-option name="rolesProperties" value="defaultRoles.properties"/>
      </login-module>
      </authentication>
      </security-domain>

      At https://community.jboss.org/message/648047 is a sample war which reproduces the defect

      Attachments

        Activity

          People

            jaikiran Jaikiran Pai (Inactive)
            herb_jira Gernot P (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: