[jboss-jira] [JBoss JIRA] (AS7-6689) Security annotations should not be required on abstract session beans

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Sun Mar 10 18:44:41 EDT 2013 

     [ https://issues.jboss.org/browse/AS7-6689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas resolved AS7-6689.
---------------------------------

    Resolution: Rejected


The EJB spec does not define how methods with no security metadata should be interpreted, but instead leaves it up to the implementation.

In AS 7.1 we treated these methods as being implicit allow, however due to security concerns we have changed this in 7.2 to default deny. This behaviour is now configurable however. 

In order to revert to the 7.1 behaviour you can either change the following value to false in the EJB subsystem in standalone.xml:

       <default-missing-method-permissions-deny-access value="true" />

This will make the change for all deployments in the application server. 

Alternatively you can add a jboss-ejb3.xml file to your deployment with the following contents:

https://github.com/jbossas/jboss-as/blob/master/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/missingmethodpermission/one-jboss-ejb3.xml


                
> Security annotations should not be required on abstract session beans
> ---------------------------------------------------------------------
>
>                 Key: AS7-6689
>                 URL: https://issues.jboss.org/browse/AS7-6689
>             Project: Application Server 7
>          Issue Type: Bug
>    Affects Versions: EAP 6.1.0.Alpha (7.2.0.Final)
>            Reporter: Samuel Santos
>
> Example project structure:
> {code:java}
> @Stateless
> @RunAs("private")
> @RolesAllowed("simpleuser")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.REQUIRED)
> public class ExampleServiceBean implements ExampleService {}
> @Stateless
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.SUPPORTS)
> public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
> {code}
> If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.
> This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.
> Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list