[jboss-jira] [JBoss JIRA] (WFLY-3206) @DeclareRoles throws exception when accessing EJB methods

Stuart Douglas (JIRA) issues at jboss.org
Mon Apr 14 17:26:33 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas resolved WFLY-3206.
----------------------------------

    Resolution: Rejected


This is working as expected.

Because of the presence of a security annotation (@DeclaresRoles) we enable security for the EJB, and as the default method permission is not specified in the EJB spec we default to deny to be safe. 

You can change this behaviour by changing the <default-missing-methods-deny-access> element in the ejb subsystem in standalone.xml, or by adding the following jboss-ejb3.xml file to your deployment:


{code}
<?xml version="1.0" encoding="UTF-8"?>
<jboss:jboss
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:s="urn:security:1.1"
        version="3.1" impl-version="2.0">

    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>
        </s:security>
    </assembly-descriptor>
</jboss:jboss>
{code}
                
> @DeclareRoles throws exception when accessing EJB methods
> ---------------------------------------------------------
>
>                 Key: WFLY-3206
>                 URL: https://issues.jboss.org/browse/WFLY-3206
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB, Security
>    Affects Versions: 8.0.0.Final
>         Environment: Mac OSX, jdk1.8, jee7
>            Reporter: Dirk Franssen
>            Assignee: David Lloyd
>
> When calling the getWisdom() method from the EJB below from a rest resource (principal = anonymous), it throws an exception. If I add @PermitAll it does not throw an exception. 
> According to jsr-250: "the @DeclareRoles would be used to define roles that could be tested. It could also be used to declare roles that are not implicitly declared as the result of their use in a RolesAllowed annotation on the class or a method of the class."
> @Singleton
> @DeclareRoles("dukes")
> public class Greetings {
>     private String wisdom;
>     
>     @PostConstruct
>     public void initialize(){
>         wisdom = "Java Programming Language Rocks!!!";
>     }
>     
>     public void setWisdom(String wisdom){
>         this.wisdom = wisdom;
>     }
>     
>     public String getWisdom(){
>         return userid + " said " + wisdom;
>     }
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list