[jboss-jira] [JBoss JIRA] (AS7-6689) Security annotations should not be required on abstract session beans

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Sun Mar 10 19:33:42 EDT 2013 

     [ https://issues.jboss.org/browse/AS7-6689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas updated AS7-6689:
--------------------------------

     Issue Type: Feature Request  (was: Bug)
       Assignee: jaikiran pai
    Component/s: EJB

    
> Security annotations should not be required on abstract session beans
> ---------------------------------------------------------------------
>
>                 Key: AS7-6689
>                 URL: https://issues.jboss.org/browse/AS7-6689
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: EJB
>    Affects Versions: EAP 6.1.0.Alpha (7.2.0.Final)
>            Reporter: Samuel Santos
>            Assignee: jaikiran pai
>
> Example project structure:
> {code:java}
> @Stateless
> @RunAs("private")
> @RolesAllowed("simpleuser")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.REQUIRED)
> public class ExampleServiceBean implements ExampleService {}
> @Stateless
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.SUPPORTS)
> public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
> {code}
> If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.
> This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.
> Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list