[jboss-dev-forums] [Security Development] New message: "EJB3 security - Skip authorization for @PermiAll?"
JBoss development,
A new message was posted in the thread "EJB3 security - Skip authorization for
@PermiAll?":
http://community.jboss.org/message/531585#531585
Author : jaikiran pai
Profile : http://community.jboss.org/people/jaikiran
Message:
--------------------------------------------------------------
I was looking at a thread in the EJB3 forum which was talking about poor performance of a
bean method invocation when the bean is marked with a @SecurityDomain, as compared to a
similar bean without any @SecurityDomain. The bean is like this:
@Stateless
@Local(Ping.class)
@SecurityDomain(unauthenticatedPrincipal = "anonymous",
value="other")
@PermitAll
@LocalBinding (jndiBinding=BeanWithSecurityDomain.JNDI_NAME)
public class BeanWithSecurityDomain implements Ping
{
public static final String JNDI_NAME = "SecurityDomainBean";
/**
* @see org.jboss.ejb3.test.perf.Ping#ping()
*/
public String ping()
{
return "pong1";
}
}
Notice the use of @PermitAll. In the EJB3 security related interceptor
org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2 i notice that even if the
class/method is marked for @PermitAll, the code leads to a authorization call:
boolean isAuthorized = helper.authorize(ejbName,
mi.getMethod(),
sc.getUtil().getUserPrincipal(),
iface,
ejbCS,
sc.getUtil().getSubject(),
callerRunAs,
contextID,
new SimpleRoleGroup(methodRoles));
The authorization call is expensive.
My understanding of @PermitAll was that we would skip this authorization altogether. Is
there any reason why we have to authorize even when the bean is marked for @PermitAll?
--------------------------------------------------------------
To reply to this message visit the message page:
http://community.jboss.org/message/531585#531585