Java Mailing List Archive

Home » Home (12/2007) » JBoss User »

[JBoss-user] [Security & JAAS/JBoss] - problems with
 @SecurityDomain @PermitAll


because @SecurityDomain is jboss specific, is there a way to remove it from class code and keep just the standard @RolesAllowed?

i tried to remove it from source code and have in jboss.xml


after this, i dont get any security on bean methods.

why is authentication-authorization required for method s with @PermitAll???
there are methods called even before users and roles are created.

one work around is moving these methods to a class with no @SecurityDomain tag. this is bad if you want to keep logical grouping of methods in classes

the other work around is to have a dummy role for these methods and pass a dummy username and password. but this unnecessary code.

in my opinion, this is a bug.

@PermitAll methods should not need any security credentials associated with thread. No authentication and authorization shoud be done.

View the original post :

Reply to the post :

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
JBoss-user mailing list
©2008 - Jax Systems, LLC, U.S.A.