[jboss-jira] [JBoss JIRA] (WFLY-1166) Security annotations should not be required on abstract session beans

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Fri Oct 4 10:24:02 EDT 2013 

     [ https://issues.jboss.org/browse/WFLY-1166?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas resolved WFLY-1166.
----------------------------------

    Resolution: Rejected


I don't think it is worth adding in any more settings to make this configurable. It can already be accomplished by changing the default, and it would not really be consistent, as class level security annotation only affect methods declared in the class, not super class methods. 

Adding settings to change the way these annotations would just be confusing IMHO, and increase the chances of mis-configuration that could inadvertently expose some methods. 
                
> Security annotations should not be required on abstract session beans
> ---------------------------------------------------------------------
>
>                 Key: WFLY-1166
>                 URL: https://issues.jboss.org/browse/WFLY-1166
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: EJB
>            Reporter: Samuel Santos
>            Assignee: Stuart Douglas
>
> Example project structure:
> {code:java}
> @Stateless
> @RunAs("private")
> @RolesAllowed("simpleuser")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.REQUIRED)
> public class ExampleServiceBean implements ExampleService {}
> @Stateless
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> @TransactionAttribute(TransactionAttributeType.SUPPORTS)
> public class ExampleDAOBean extends GenericDAOImpl<ExampleEntity, Long> implements ExampleDAO {}
> @RolesAllowed("private")
> @SecurityDomain("myRealm")
> public abstract class GenericDAOImpl<T, PK extends Serializable> implements GenericDAO<T, PK> {}
> {code}
> If you remove the annotations {{@RolesAllowed("private")}} and {{@SecurityDomain("myRealm")}} from {{GenericDAOImpl}} you will get an "Access Denied" error when invoking {{ExampleDAOBean}}  from {{ExampleServiceBean}}.
> This does not make sense. The annotations available on {{ExampleDAOBean}} should override any security constrains in the class that it extends.
> Moreover, the documentation on https://docs.jboss.org/author/display/AS72/Securing+EJBs does not state that abstracts classes should be annotated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list