[jboss-jira] [JBoss JIRA] (WFLY-1166) Security annotations should not be required on abstract session beans

Security annotations should not be required on abstract session beans --------------------------------------------------------------------- Key: WFLY-1166 URL: https://issues.jboss.org/browse/WFLY-1166 Project: WildFly Issue Type: Feature Request Components: EJB Reporter: Samuel Santos Assignee: Stuart Douglas Example project structure: {code:java} @Stateless @RunAs("private") @RolesAllowed("simpleuser") @SecurityDomain("myRealm") @TransactionAttribute(TransactionAttributeType.REQUIRED) public class ExampleServiceBean implements ExampleService {} @Stateless @RolesAllowed("private") @SecurityDomain("myRealm") @TransactionAttribute(TransactionAttributeType.SUPPORTS) public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {} @RolesAllowed("private") @SecurityDomain("myRealm") public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {} {code} If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}} from {{ExampleServiceBean}}. This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends. Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.