Robert Brendler <robert.brendler@gmail.com> wrote:
I am not sure if this is valid usage of ejb security but when I add
another possible role in @ServletSecurity, lets simply call it "user".
Role "user" does not include rights of "guest" and vice versa, so when I
annotate a second method in the SecuredEjb like the following I expect
that it is forbidden for "guest".
@RolesAllowed({"user"})
public String getSecurityInfoUser()
I log in as "guest" and in the Servlet's doGet() method make a call to both methods, both return the same result.
This
leads me to the conclusion that all security annotations in SecuredEjb
are rather useless, because the actual authorization happens via the
authentication in the Servlet via @ServletSecurity. Basically this means
I will have to create a separate Servlet for every role and duplicate
code or at least delegators that more than one role should be allowed to
call.
Can you verify this, is this intended behaviour or is there a workaround?
Rob
IP address: 87.139.232.83
Options: You can moderate through email. Respond in the body with "Delete", "Approve", or "Spam". Reply with "Like" to like this comment, or respond in the body to post a reply comment. Or use the moderate panel: http://jdf.disqus.com/admin/moderate/#/pending
