[jboss-jira] [JBoss JIRA] (AS7-5581) Do not ignore security annotations and deployment descriptor configurations on EJBs in the absence of explicit security domain configuration

jaikiran pai (JIRA) jira-events at lists.jboss.org
Wed Oct 3 03:05:03 EDT 2012 

     [ https://issues.jboss.org/browse/AS7-5581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

jaikiran pai updated AS7-5581:
------------------------------

    Git Pull Request: https://github.com/jbossas/jboss-as/pull/3075, https://github.com/jbossas/jboss-as/pull/3164  (was: https://github.com/jbossas/jboss-as/pull/3075)

    
> Do not ignore security annotations and deployment descriptor configurations on EJBs in the absence of explicit security domain configuration
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AS7-5581
>                 URL: https://issues.jboss.org/browse/AS7-5581
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: EJB
>    Affects Versions: 7.1.2.Final (EAP)
>            Reporter: jaikiran pai
>            Assignee: jaikiran pai
>             Fix For: 7.2.0.Alpha1
>
>
> Consider the following example:
> {code}
> @Stateless
> public class SecureBean 
> {
>    @RolesAllowed("role1")
>    public void restrictedRoles()
>    {
>     ...
>    }
>    @DenyAll
>    public void denyEveryone()
>    {
>      ...
>    }
> }
> {code}
> Notice that the bean methods use EJB security annotations to restrict access *however* the bean doesn't have any explicit @SecurityDomain configured (not even in jboss-ejb3.xml). Right now, AS7 ignores the security restriction on that bean allows everyone to invoke on it, as if security wasn't configured for that bean. This has confused users who expect the invocations to fail since they have used the javax.ejb.* security annotations to restrict access. Many users have asked for a feature where the security domain is defaulted (if not explicitly specified) in cases like this.
> This JIRA is expected to introduce this feature in AS 7.2.x

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list