[jboss-jira] [JBoss JIRA] (AS7-6689) Security annotations should not be required on abstract session beans

Samuel Santos (JIRA) jira-events at lists.jboss.org
Sun Mar 10 19:17:41 EDT 2013 

    [ https://issues.jboss.org/browse/AS7-6689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12760065#comment-12760065 ] 

Samuel Santos commented on AS7-6689:
------------------------------------

I was not talking about the defaults, I agree that deny should be the default.
But I also think that the behavior should be overridden by the annotations set on ExampleDAOBean when calling instances of that class.

It should be identical to what happens with @TransactionAttribute annotations.
Since GenericDAOImpl does not have a @TransactionAttribute annotation, it will assume TransactionAttributeType.REQUIRED, but it will be overridden by @TransactionAttribute(TransactionAttributeType.SUPPORTS) when calling methods from an ExampleDAOBean instance.

Finally, I firmly believe that the correct behavior should be deny when calling directly an GenericDAOImpl instance (assuming it's not an abstract class) but it should be @RolesAllowed("private") when calling ExampleDAOBean instances.
                
> Security annotations should not be required on abstract session beans
> ---------------------------------------------------------------------
>
>                 Key: AS7-6689
>                 URL: https://issues.jboss.org/browse/AS7-6689
>             Project: Application Server 7
>          Issue Type: Bug
>    Affects Versions: EAP 6.1.0.Alpha (7.2.0.Final)
>            Reporter: Samuel Santos
>
> Example project structure:
> {code:java}
> @Stateless
> @RunAs("private")
> @RolesAllowed("simpleuser")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.REQUIRED)
> public class ExampleServiceBean implements ExampleService {}
> @Stateless
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.SUPPORTS)
> public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
> {code}
> If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.
> This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.
> Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list