[jboss-jira] [JBoss JIRA] (WFLY-3988) Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint
Jim Ma (JIRA)
issues at jboss.org
Tue Mar 31 06:06:18 EDT 2015
[ https://issues.jboss.org/browse/WFLY-3988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13054900#comment-13054900 ]
Jim Ma commented on WFLY-3988:
------------------------------
To calarify a bit for this issue:
For the above annoated ejb class, only the users with a role found in @DelareRoles can invoke c() is expected. Alessio's suggestion let me find another issue : the @PermitAll annotated on class level doesn't work.
My change fixed this issue and enable all authorized user to do ejb container's security check. Without this fix, authroization for @PermitAll on class level or no class level security annotation doesn't work properly.
> Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint
> -------------------------------------------------------------------------------------------
>
> Key: WFLY-3988
> URL: https://issues.jboss.org/browse/WFLY-3988
> Project: WildFly
> Issue Type: Bug
> Components: Web Services
> Affects Versions: 8.1.0.Final
> Reporter: Kyle Lape
> Assignee: Jim Ma
> Fix For: 9.0.0.Beta1
>
>
> Given this endpoint:
> {code:java}
> @Stateless
> @WebService(endpointInterface="com.redhat.gss.SecureEndpoint")
> @DeclareRoles({"a","b"})
> @WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")
> public class SecureEndpointE implements SecureEndpoint {
> @RolesAllowed({"a"})
> public String a() {
> return "Success";
> }
> @RolesAllowed({"b"})
> public String b() {
> return "Success";
> }
> @PermitAll
> public String c() {
> return "Success";
> }
> }
> {code}
> One would expect any authenticated user to be able to invoke {{c()}}, but only users with a role found in {{@DelareRoles}} can invoke it.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list