[jboss-jira] [JBoss JIRA] (AS7-6476) missing-method-permissions-exclude-mode isn't available in AS7

Josef Cacek (JIRA) jira-events at lists.jboss.org
Mon Mar 25 03:49:42 EDT 2013 

     [ https://issues.jboss.org/browse/AS7-6476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josef Cacek reopened AS7-6476:
------------------------------



IMO The default behavior of the current version doesn't fit the specification.

{panel:title=JSR 318: Enterprise JavaBeans,Version 3.1}
*17.3.2.3 Unspecified Method Permissions*
It is possible that some methods are not assigned to any security roles nor annotated as DenyAll or contained in the exclude-list element. In this case, the Deployer should assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked. If the Deployer does not assigned method permissions to the unspecified methods, those methods must be treated by the container as unchecked.
{panel}

The default behavior (without specifying the configuration element <default-missing-method-permissions-deny-access>) should be "PERMIT" (==unchecked).
                
> missing-method-permissions-exclude-mode isn't available in AS7
> --------------------------------------------------------------
>
>                 Key: AS7-6476
>                 URL: https://issues.jboss.org/browse/AS7-6476
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB
>    Affects Versions: 7.1.1.Final, 7.1.3.Final (EAP)
>            Reporter: jaikiran pai
>            Assignee: jaikiran pai
>            Priority: Blocker
>             Fix For: EAP 6.1.0.Alpha (7.2.0.Final)
>
>
> Previous versions of JBoss AS allowed users to configure a <missing-method-permissions-exclude-mode> element which would decide whether methods without any specific security configurations, on a secured bean, are allowed access or not.
> In AS7, we allow access to such methods and it behaves similar to @PermitAll. We should allow users to have control over this.
> Related article http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list