JBoss development, A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?": http://community.jboss.org/message/531585#531585 Author : jaikiran pai Profile : http://community.jboss.org/people/jaikiran Message: -------------------------------------------------------------- I was looking at a thread in the EJB3 forum which was talking about poor performance of a bean method invocation when the bean is marked with a @SecurityDomain, as compared to a similar bean without any @SecurityDomain. The bean is like this:   @Stateless @Local(Ping.class) @SecurityDomain(unauthenticatedPrincipal = "anonymous", value="other") @PermitAll @LocalBinding (jndiBinding=BeanWithSecurityDomain.JNDI_NAME) public class BeanWithSecurityDomain implements Ping {      public static final String JNDI_NAME = "SecurityDomainBean";       /**     * @see org.jboss.ejb3.test.perf.Ping#ping()     */    public String ping()    {       return "pong1";    }   }     Notice the use of @PermitAll. In the EJB3 security related interceptor org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2 i notice that even if the class/method is marked for @PermitAll, the code leads to a authorization call:   boolean isAuthorized = helper.authorize(ejbName,                              mi.getMethod(),                              sc.getUtil().getUserPrincipal(),                              iface,                              ejbCS,                              sc.getUtil().getSubject(),                              callerRunAs,                              contextID,                              new SimpleRoleGroup(methodRoles));   The authorization call is expensive.   My understanding of @PermitAll was that we would skip this authorization altogether. Is there any reason why we have to authorize even when the bean is marked for @PermitAll? -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/531585#531585