[jbossws-issues] [JBoss JIRA] (JBWS-3485) JBoss AS 7 requires authentication for unsecured methods
Abhijit Sarkar (JIRA)
jira-events at lists.jboss.org
Thu Apr 12 22:49:47 EDT 2012
Abhijit Sarkar created JBWS-3485:
------------------------------------
Summary: JBoss AS 7 requires authentication for unsecured methods
Key: JBWS-3485
URL: https://issues.jboss.org/browse/JBWS-3485
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: Mac OS X, Apple JDK 1.6.31, JBoss AS 7.1.1.Final
Reporter: Abhijit Sarkar
*** Not sure about component or affect versions, please excuse ***
Have a simple EJB3 Endpoint with 3 methods, one unannotated, another annotated @PermitAll and the other one annotated @RolesAllowed. Using security domain "other" with 2 users, details shown below. JBoss returns 401 when the unannotated/unsecured method is invoked without proper authorization. It shouldn't care about authentication or authorization for the unannotated/unsecured method.
Attached with the forum post is a project that demonstrates the problem. The post started of on an incorrect understanding but ends with the correct one so please read it fully before commenting.
# application-users.properties #
# is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
user=8544a03c79aee5b1c99458d83ee0f9e0
guest=1bb6b7c18b5c1dab17f5141fa398905a
# application-roles.properties #
#
#admin=PowerUser,BillingAdmin,
#guest=guest
user=AppUser
guest=AppGuest
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list