[jboss-jira] [JBoss JIRA] (AS7-3422) @RolesAllowed @DenyAll on EJBs does not work

jaikiran pai (JIRA) jira-events at lists.jboss.org
Thu Jan 26 02:40:50 EST 2012 

    [ https://issues.jboss.org/browse/AS7-3422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12662069#comment-12662069 ] 

jaikiran pai commented on AS7-3422:
-----------------------------------

{quote}
but shouldn't do "@SecurityDomain" (at EJB level) the same as jboss-ejb3.xml? Only using @SecurityDomain (without jboss-ejb3.xml) does not work as excpected.
{quote}

I just replied in the forum thread https://community.jboss.org/message/648787#648787. The application is using the wrong @SecurityDomain. You should be using @org.jboss.ejb3.annotation.SecurityDomain.

                
> @RolesAllowed @DenyAll on EJBs does not work
> --------------------------------------------
>
>                 Key: AS7-3422
>                 URL: https://issues.jboss.org/browse/AS7-3422
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB
>    Affects Versions: 7.1.0.CR1b
>            Reporter: Gernot P
>            Assignee: jaikiran pai
>
> I've a war within EJBs. Annotating an EJB method with @RolesAllowed or @DenyAll does not work as expected - method is executed even if the roles does not match.
> I also added @SecurityDomain annotation, which did not change the behaviour.
> EJBContext getCallerPrincipal() returns the correct (authenticated) principal, and isCallerInRole() works fine, but not @RolesAllowed
> jboss-web.xml:
> <jboss-web><security-domain>formauth</security-domain></jboss-web>
> Here's the security-domain part of standalone.xml, which is referenced in the war:
> <security-domain name="formauth" cache-type="default">
>     <authentication>
>     <login-module code="UsersRoles" flag="required">
>         <module-option name="usersProperties" value="defaultUsers.properties"/>
>         <module-option name="rolesProperties" value="defaultRoles.properties"/>
>     </login-module>
>     </authentication>
> </security-domain>
> At https://community.jboss.org/message/648047 is a sample war which reproduces the defect

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list