I'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:
| @SecurityDomain("simple-security-domain") | @RolesAllowed( { "bank-manager", "teller" }) | @Stateless | public class StatelessCalculatorBean implements Calculator, CalculatorRemote { | | @EJB(beanName = "InterestRateMBean") | private InterestRateManager interstRateManager; | | public double calculateTotalInterest(double presentValue, int years) { | return calculateFutureValue(presentValue, years) - presentValue; | } | | @RolesAllowed("teller") | public double calculateFutureValue(double presentValue, int years) { | double interestRate = interstRateManager.getInterestRate() / 100; | return presentValue * Math.pow((1.0 + interestRate), years); | } | | @RolesAllowed("bank-manager") | public double getInterestRate() { | return interstRateManager.getInterestRate(); | } | | @DenyAll | public String getTheAnswerToLifeTheUniverseAndEverything() { | return "42"; | } | | @PermitAll | public String freeForAll() { | return "You're in!"; | } | | } Here are my roles: | admin=bank-manager,teller | bank-manager=bank-manager | teller=teller | joe=customer | Here is what happens when I try to access the various methods from a standalone client: | -------------------------------------------- | User: admin, Roles: bank-manager, teller | -------------------------------------------- | admin could call calculateFutureValue (requires 'teller') | admin could call calculateTotalInterest (requires 'bank-manager' or 'teller') | admin could call getInterestRate (requires 'bank-manager') | admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized | admin could not call freeForAll (PermitAll) - Caller unauthorized | -------------------------------------------- | User: bank-manager, Roles: bank-manager | -------------------------------------------- | bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized | bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller') | bank-manager could call getInterestRate (requires 'bank-manager') | bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized | bank-manager could not call freeForAll (PermitAll) - Caller unauthorized | -------------------------------------------- | User: teller, Roles: teller | -------------------------------------------- | teller could call calculateFutureValue (requires 'teller') | teller could call calculateTotalInterest (requires 'bank-manager' or 'teller') | teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized | teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized | teller could not call freeForAll (PermitAll) - Caller unauthorized | -------------------------------------------- | User: joe, Roles: customer | -------------------------------------------- | joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized | joe could call calculateTotalInterest (requires 'bank-manager' or 'teller') | joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized | joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized | joe could not call freeForAll (PermitAll) - Caller unauthorized | There are two problems (bugs?): 1) Permit all does not work for any of the roles 2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access. Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4123579#4123579 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4123579 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user