[jboss-jira] [JBoss JIRA] Assigned: (JBAS-5960) EJB2: Lack of security domain in JBoss DD does not bypass security
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Fri Sep 19 12:59:21 EDT 2008
[ https://jira.jboss.org/jira/browse/JBAS-5960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anil Saldhana reassigned JBAS-5960:
-----------------------------------
Assignee: Marcus Moyses (was: Anil Saldhana)
The location of the code is org.jboss.ejb.plugins.SecurityInterceptor where we check for security domain == null. If yes, we print a log.WARN and move on to the next interceptor.
What we need to do is if security domain == null, then just take the default for EJBs, SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY).
Ensure that the run "ant tests-security-basic-unit" passes in AS5 testsuite.
> EJB2: Lack of security domain in JBoss DD does not bypass security
> ------------------------------------------------------------------
>
> Key: JBAS-5960
> URL: https://jira.jboss.org/jira/browse/JBAS-5960
> Project: JBoss Application Server
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: EJB2
> Affects Versions: JBossAS-5.0.0.CR1
> Reporter: Anil Saldhana
> Assignee: Marcus Moyses
> Fix For: JBossAS-5.0.0.GA
>
>
> Currently, if there is no security domain defined for a deployment, we bypass security with a fat WARN message. But if there is presence of security meta data for the deployment (EJB2 method perms in ejb-jar.xml), there is an expectation of security enforcement. In this case, we need to default the security domain to "other".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list