Uploaded image for project: 'JBoss Enterprise Application Platform 6'
  1. JBoss Enterprise Application Platform 6
  2. JBPAPP6-1465

Custom authorization modules are not involved in EJBs protection

    XMLWordPrintable

    Details

      Description

      Custom authorization modules defined in a security domain (authorization/policy-module) are not used for EJBs protection (they work well for web applications).
      So user can access a resource (EJB method call) even if the authorization result from the custom module would be DENY.

      There could be a missing logic in a org.jboss.as.ejb3.security.AuthorizationInterceptor class.

      The class org.jboss.security.plugins.JBossAuthorizationManager is only used for role assignment checks, but its methods authorize(...) seems to be not called for EJBs at all.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pskopek Peter Škopek
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: