[
https://issues.jboss.org/browse/WFLY-3988?page=com.atlassian.jira.plugin....
]
Jim Ma commented on WFLY-3988:
------------------------------
To calarify a bit for this issue:
For the above annoated ejb class, only the users with a role found in @DelareRoles can
invoke c() is expected. Alessio's suggestion let me find another issue : the
@PermitAll annotated on class level doesn't work.
My change fixed this issue and enable all authorized user to do ejb container's
security check. Without this fix, authroization for @PermitAll on class level or no class
level security annotation doesn't work properly.
Authorization denied for authenticated users when @PermitAll is used
on EJB JAX-WS endpoint
-------------------------------------------------------------------------------------------
Key: WFLY-3988
URL:
https://issues.jboss.org/browse/WFLY-3988
Project: WildFly
Issue Type: Bug
Components: Web Services
Affects Versions: 8.1.0.Final
Reporter: Kyle Lape
Assignee: Jim Ma
Fix For: 9.0.0.Beta1
Given this endpoint:
{code:java}
@Stateless
@WebService(endpointInterface="com.redhat.gss.SecureEndpoint")
@DeclareRoles({"a","b"})
@WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")
public class SecureEndpointE implements SecureEndpoint {
@RolesAllowed({"a"})
public String a() {
return "Success";
}
@RolesAllowed({"b"})
public String b() {
return "Success";
}
@PermitAll
public String c() {
return "Success";
}
}
{code}
One would expect any authenticated user to be able to invoke {{c()}}, but only users with
a role found in {{@DelareRoles}} can invoke it.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)