Josef Cacek created AS7-5862:
--------------------------------
Summary: Do not ignore security annotations and deployment descriptor
configurations on EJBs in the absence of explicit security domain configuration
Key: AS7-5862
URL:
https://issues.jboss.org/browse/AS7-5862
Project: Application Server 7
Issue Type: Feature Request
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Josef Cacek
Assignee: jaikiran pai
Fix For: 7.2.0.Alpha1
Consider the following example:
{code}
@Stateless
public class SecureBean
{
@RolesAllowed("role1")
public void restrictedRoles()
{
...
}
@DenyAll
public void denyEveryone()
{
...
}
}
{code}
Notice that the bean methods use EJB security annotations to restrict access *however* the
bean doesn't have any explicit @SecurityDomain configured (not even in
jboss-ejb3.xml). Right now, AS7 ignores the security restriction on that bean allows
everyone to invoke on it, as if security wasn't configured for that bean. This has
confused users who expect the invocations to fail since they have used the javax.ejb.*
security annotations to restrict access. Many users have asked for a feature where the
security domain is defaulted (if not explicitly specified) in cases like this.
This JIRA is expected to introduce this feature in AS 7.2.x
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira