[jboss-dev-forums] [Design of EJB 3.0] - Re: User friendly warning when @PermitAll and unauthenticate

[anil.saldhana@jboss.com]

Right way: do not force the user to always have an unauth annotation in his beans.  He can specify the unauth identity in any of the following:
a) Security Domain
b) jboss.xml
c) jboss-app.xml

I would prefer the @UI injection that you do for @SD.  I am not a big fan of custom annotations.  I like ur injection stuff.

A log.trace should be done for the warning message.

Carlo de Wolf wrote:
> Thought as much. Hmm, I think we could use a warning message if we spot
> a @PermitAll without an unauthenticatedPrincipal and we don't get
> supplied with a principal from the caller. Any objections?
>
> Carlo
>
> On Wed, 2007-05-02 at 08:40 -0700, Scott M Stark wrote:
>  
>> Unchecked applies to the allowed roles. By default it still needs an
>> authenticated user. If you don't want that, don't annotate the method
>> with a permission, or setup the security domain to allow unauthenticated
>> users. Without such a distinction, the @PermitAll annotation is meaningless.
>>
>> Anil Saldhana wrote:
>>    
>>> So if the user does not provide any username/principal, then the
>>> unauthenticatedIdentity setting (if present) will kick in.
>>>
>>> Anil Saldhana wrote:
>>>      
>>>> That is because Scott thinks that any unchecked method should not be
>>>> totally open to the world. Only authenticated principals should have
>>>> access.
>>>>
>>>> Carlo de Wolf wrote:
>>>>        
>>>>> Do either one of you know why a @PermitAll requires an
>>>>> unauthenticatedPrincipal (on SecurityDomain)?
>>>>> I want the answer beyond: TCK requires AuthorizationInterceptors. :-)
>>>>>
>>>>> Carlo 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4042515#4042515

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4042515