Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: EAP 6.1.0.Alpha (7.2.0.Final)
Affects Version/s: 7.1.2.Final (EAP)
Component/s: EJB
Labels:
None

Git Pull Request:
https://github.com/jbossas/jboss-as/pull/3075, https://github.com/jbossas/jboss-as/pull/3164

Description

Consider the following example:

@Stateless
public class SecureBean 
{

   @RolesAllowed("role1")
   public void restrictedRoles()
   {
    ...
   }

   @DenyAll
   public void denyEveryone()
   {
     ...
   }

}

Notice that the bean methods use EJB security annotations to restrict access however the bean doesn't have any explicit @SecurityDomain configured (not even in jboss-ejb3.xml). Right now, AS7 ignores the security restriction on that bean allows everyone to invoke on it, as if security wasn't configured for that bean. This has confused users who expect the invocations to fail since they have used the javax.ejb.* security annotations to restrict access. Many users have asked for a feature where the security domain is defaulted (if not explicitly specified) in cases like this.

This JIRA is expected to introduce this feature in AS 7.2.x

Attachments

Activity

People

Assignee:: Jaikiran Pai (Inactive)

Reporter:: Jaikiran Pai (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2012/09/18 11:05 AM

Updated:: 2022/09/09 6:12 AM

Resolved:: 2012/09/21 3:07 AM