Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.1.0.CR1b
-
None
Description
I've a war within EJBs. Annotating an EJB method with @RolesAllowed or @DenyAll does not work as expected - method is executed even if the roles does not match.
I also added @SecurityDomain annotation, which did not change the behaviour.
EJBContext getCallerPrincipal() returns the correct (authenticated) principal, and isCallerInRole() works fine, but not @RolesAllowed
jboss-web.xml:
<jboss-web><security-domain>formauth</security-domain></jboss-web>
Here's the security-domain part of standalone.xml, which is referenced in the war:
<security-domain name="formauth" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="defaultUsers.properties"/>
<module-option name="rolesProperties" value="defaultRoles.properties"/>
</login-module>
</authentication>
</security-domain>
At https://community.jboss.org/message/648047 is a sample war which reproduces the defect