[jboss-jira] [JBoss JIRA] (AS7-6689) Security annotations should not be required on abstract session beans

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Sun Mar 10 19:33:41 EDT 2013 

     [ https://issues.jboss.org/browse/AS7-6689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas reopened AS7-6689:
---------------------------------



This is not really consistent with how EJB security annotations work. Specifying an annotation on a bean class does not affect methods defined on the super class. 

In particular the behaviour is defined in the following section:

{code}
17.3.2.1 Specification of Method Permissions with Metadata Annotations

If the bean class has superclasses, the following additional rules apply.

- A method permissions value specified on a superclass S applies to the business methods defined by S.

{code}

In this case though we are in undefined territory anyway, as the super class has no security metadata so the spec does not specify how to handle it.

I think it may make sense in this case to make the class level default the same as that defined on the EJB class. We could potentially make this work the other way as well, so that an @RolesAllowed on a super class would be the default for sub classes without security annotations. 




                
> Security annotations should not be required on abstract session beans
> ---------------------------------------------------------------------
>
>                 Key: AS7-6689
>                 URL: https://issues.jboss.org/browse/AS7-6689
>             Project: Application Server 7
>          Issue Type: Bug
>    Affects Versions: EAP 6.1.0.Alpha (7.2.0.Final)
>            Reporter: Samuel Santos
>
> Example project structure:
> {code:java}
> @Stateless
> @RunAs("private")
> @RolesAllowed("simpleuser")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.REQUIRED)
> public class ExampleServiceBean implements ExampleService {}
> @Stateless
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.SUPPORTS)
> public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
> {code}
> If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.
> This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.
> Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list