[jbossws-issues] [JBoss JIRA] (JBWS-3485) JBoss AS 7 requires authentication for unsecured methods

[Abhijit Sarkar (JIRA)]

Abhijit Sarkar created JBWS-3485:
------------------------------------

             Summary: JBoss AS 7 requires authentication for unsecured methods
                 Key: JBWS-3485
                 URL: https://issues.jboss.org/browse/JBWS-3485
             Project: JBoss Web Services
          Issue Type: Bug
      Security Level: Public (Everyone can see)
         Environment: Mac OS X, Apple JDK 1.6.31, JBoss AS 7.1.1.Final
            Reporter: Abhijit Sarkar


*** Not sure about component or affect versions, please excuse ***

Have a simple EJB3 Endpoint with 3 methods, one unannotated, another annotated @PermitAll and the other one annotated @RolesAllowed. Using security domain "other" with 2 users, details shown below. JBoss returns 401 when the unannotated/unsecured method is invoked without proper authorization. It shouldn't care about authentication or authorization for the unannotated/unsecured method.
Attached with the forum post is a project that demonstrates the problem. The post started of on an incorrect understanding but ends with the correct one so please read it fully before commenting.

# application-users.properties #
# is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
user=8544a03c79aee5b1c99458d83ee0f9e0
guest=1bb6b7c18b5c1dab17f5141fa398905a

# application-roles.properties #
#
#admin=PowerUser,BillingAdmin,
#guest=guest
user=AppUser
guest=AppGuest

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira