[jboss-jira] [JBoss JIRA] (WFLY-3988) Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint

Alessio Soldano (JIRA) issues at jboss.org
Tue Oct 21 06:26:35 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13013786#comment-13013786 ] 

Alessio Soldano commented on WFLY-3988:
---------------------------------------

I've had a look and basically this is kind of by design. When you deploy an EJB bean annotated with @WebService, the ws stack basically ends up creating a web application (with the metadata corresponding to a web.xml) for serving the SOAP requests over HTTP. A servlet is created for each endpoint bean and the web layer security is controlled by the addition of @WebContext annotation. The security-roles declared in the web.xml for the web application are derived by the union of the roles declared at class level for each endpoint in the deployment. There's no method granularity at web.xml level.

How about having a @PermitAll annotation at class level in the example above?

> Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint
> -------------------------------------------------------------------------------------------
>
>                 Key: WFLY-3988
>                 URL: https://issues.jboss.org/browse/WFLY-3988
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web Services
>    Affects Versions: 8.1.0.Final
>            Reporter: Kyle Lape
>            Assignee: Alessio Soldano
>
> Given this endpoint:
> {code:java}
> @Stateless
> @WebService(endpointInterface="com.redhat.gss.SecureEndpoint")
> @DeclareRoles({"a","b"})
> @WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")
> public class SecureEndpointE implements SecureEndpoint {
>   @RolesAllowed({"a"})
>   public String a() {
>     return "Success";
>   }
>   @RolesAllowed({"b"})
>   public String b() {
>     return "Success";
>   }
>   @PermitAll
>   public String c() {
>     return "Success";
>   }
> }
> {code}
> One would expect any authenticated user to be able to invoke {{c()}}, but only users with a role found in {{@DelareRoles}} can invoke it.



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list