Abhijit Sarkar created JBWS-3485:
------------------------------------
Summary: JBoss AS 7 requires authentication for unsecured methods
Key: JBWS-3485
URL:
https://issues.jboss.org/browse/JBWS-3485
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: Mac OS X, Apple JDK 1.6.31, JBoss AS 7.1.1.Final
Reporter: Abhijit Sarkar
*** Not sure about component or affect versions, please excuse ***
Have a simple EJB3 Endpoint with 3 methods, one unannotated, another annotated @PermitAll
and the other one annotated @RolesAllowed. Using security domain "other" with 2
users, details shown below. JBoss returns 401 when the unannotated/unsecured method is
invoked without proper authorization. It shouldn't care about authentication or
authorization for the unannotated/unsecured method.
Attached with the forum post is a project that demonstrates the problem. The post started
of on an incorrect understanding but ends with the correct one so please read it fully
before commenting.
# application-users.properties #
# is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
user=8544a03c79aee5b1c99458d83ee0f9e0
guest=1bb6b7c18b5c1dab17f5141fa398905a
# application-roles.properties #
#
#admin=PowerUser,BillingAdmin,
#guest=guest
user=AppUser
guest=AppGuest
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira