1.
because @SecurityDomain is jboss specific, is there a way to remove it from
class code and keep just the standard @RolesAllowed?
i tried to remove it from source code and have in jboss.xml
<security-domain>mobistax</security-domain>
after this, i dont get any security on bean methods.
2.
why is authentication-authorization required for method s with @PermitAll???
there are methods called even before users and roles are created.
one work around is moving these methods to a class with no @SecurityDomain tag.
this is bad if you want to keep logical grouping of methods in classes
the other work around is to have a dummy role for these methods and pass a
dummy username and password. but this unnecessary code.
in my opinion, this is a bug.
@PermitAll methods should not need any security credentials associated with
thread. No authentication and authorization shoud be done.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956109#3956109
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3956109
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
