[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-703) <security-domain> setting in deployment descriptor populates @SecurityDomain annotation incorrectly on EJB3 session beans

Wolfgang Knauf (JIRA) jira-events at lists.jboss.org
Sat Nov 29 11:44:38 EST 2008 

    [ https://jira.jboss.org/jira/browse/EJBTHREE-703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12440481#action_12440481 ] 

Wolfgang Knauf commented on EJBTHREE-703:
-----------------------------------------

This works in JBoss 5.0 CR2. 

I have this jboss-app.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app
    PUBLIC "-//JBoss//DTD J2EE Application 5.0//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">

<jboss-app>
    <security-domain>java:/jaas/knaufsecurity</security-domain>
</jboss-app> 

There is no "securitydomain" entry in "jboss-web.xml" and no "SecurityDomain" annotation on my EJBs.

My web client shows the login page, and a login is performed. My secured EJB methods throw the expected "javax.ejb.EJBAccessException" if user is in the wrong role (and the allowed methods work ;-) ).

> <security-domain> setting in deployment descriptor populates @SecurityDomain annotation incorrectly on EJB3 session beans
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: EJBTHREE-703
>                 URL: https://jira.jboss.org/jira/browse/EJBTHREE-703
>             Project: EJB 3.0
>          Issue Type: Bug
>            Reporter: David Green
>            Assignee: Bill Burke
>
> Specifying a <security-domain> in the jboss-app.xml incorrectly sets the @SecurityDomain on EJB3 session beans.
> In the jboss-app.xml the security domain is specified as follows:
> <jboss-app>
> 	<security-domain>java:/jaas/hch</security-domain>
> </jboss-app>
> In Ejb3DescriptorHandler the security-domain is copied directly into the SecurityDomainImpl instance as "java:/jaas/hch", however the @SecurityDomain annotation should be populated with the value "hch" (without the leading "java:/jaas/" prefix).  This causes the EJB3 session bean authentication to behave unexpectedly, since the authentication for the bean reverts to the default domain instead of the specified one.
> The only way I've found to workaround this issue is to specify the @SecurityDomain individually on every session bean in the project.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list