Michał Zegan created WFLY-5063:
----------------------------------
Summary: Confusing authorization behavior in undertow/ejb3
Key: WFLY-5063
URL:
https://issues.jboss.org/browse/WFLY-5063
Project: WildFly
Issue Type: Bug
Reporter: Michał Zegan
Assignee: Jason Greene
I believe that the behavior of web and ejb authorization is confusing, and at the same
time it is undocumented.
Here it is:
1. There are authorization settings in security domains that specify policy modules to
use.
2. In case of web authorization with undertow, security domains are not used by default
unless this is enabled in jboss-web.xml, but even though this is the case, if you change a
default module to jacc, undertow switches to jacc authorization even though it normally
does not use security domains.
3. If jboss authorization is enabled in jboss-web.xml, then the default authorization
module does nothing but you still get normal authz behavior as per servlet spec... But if
you would set authorization policy to jacc, I believe it would cause jacc checks to be
performed twice in case of successful auth, once because of security domain settings, once
inside undertow...
4. At the same time EJB container uses authorization modules in security domains as the
only authorization mechanism and in this case the default module really implements
authorization decisions.
5. And, as the last point, in addition to the possibility to using jacc module or xacml
module to authorize ejbs (and servlets), you can probably do the same with changing a
delegate in the default delegating authz module.
It is possible I forgot something or that I am wrong, but...... That seems extremely
complex to actually understand, and some things here seem to be redundant.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)