[jboss-jira] [JBoss JIRA] (AS7-6689) Security annotations should not be required on abstract session beans

[Samuel Santos (JIRA)]

Samuel Santos created AS7-6689:
----------------------------------

             Summary: Security annotations should not be required on abstract session beans
                 Key: AS7-6689
                 URL: https://issues.jboss.org/browse/AS7-6689
             Project: Application Server 7
          Issue Type: Bug
    Affects Versions: 7.2.0.CR1
            Reporter: Samuel Santos


Example project structure:

{code:java}
@Stateless
@RunAs("private")
@RolesAllowed("simpleuser")
@SecurityDomain("myRealm")
@TransactionAttribute(TransactionAttributeType.REQUIRED)
public class ExampleServiceBean implements ExampleService {}

@Stateless
@RolesAllowed("private")
@SecurityDomain("myRealm")
@TransactionAttribute(TransactionAttributeType.SUPPORTS)
public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}

@RolesAllowed("private")
@SecurityDomain("myRealm")
public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
{code}

If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.

This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.

Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira