[jboss-jira] [JBoss JIRA] (AS7-3422) @RolesAllowed @DenyAll on EJBs does not work

[G P (JIRA)]

G P created AS7-3422:
------------------------

             Summary: @RolesAllowed @DenyAll on EJBs does not work
                 Key: AS7-3422
                 URL: https://issues.jboss.org/browse/AS7-3422
             Project: Application Server 7
          Issue Type: Bug
          Components: EJB
    Affects Versions: 7.1.0.CR1b
            Reporter: G P
            Assignee: jaikiran pai


I've a war within EJBs. Annotating an EJB method with @RolesAllowed or @DenyAll does not work as expected - method is executed even if the roles does not match.
I also added @SecurityDomain annotation, which did not change the behaviour.

EJBContext getCallerPrincipal() returns the correct (authenticated) principal, and isCallerInRole() works fine, but not @RolesAllowed

jboss-web.xml:
<jboss-web><security-domain>formauth</security-domain></jboss-web>

Here's the security-domain part of standalone.xml, which is referenced in the war:
<security-domain name="formauth" cache-type="default">
    <authentication>
    <login-module code="UsersRoles" flag="required">
        <module-option name="usersProperties" value="defaultUsers.properties"/>
        <module-option name="rolesProperties" value="defaultRoles.properties"/>
    </login-module>
    </authentication>
</security-domain>

At https://community.jboss.org/message/648047 is a sample war which reproduces the defect


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira