Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3988

Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint

    Details

      Description

      Given this endpoint:

      @Stateless
      @WebService(endpointInterface="com.redhat.gss.SecureEndpoint")
      @DeclareRoles({"a","b"})
      @WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")
      public class SecureEndpointE implements SecureEndpoint {
        @RolesAllowed({"a"})
        public String a() {
          return "Success";
        }
      
        @RolesAllowed({"b"})
        public String b() {
          return "Success";
        }
      
        @PermitAll
        public String c() {
          return "Success";
        }
      }
      

      One would expect any authenticated user to be able to invoke c(), but only users with a role found in @DelareRoles can invoke it.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jim.ma Jim Ma
                  Reporter:
                  klape Kyle Lape
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: