Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » JBoss User »

[JBoss-user] [Security & JAAS/JBoss] - problems with
 @SecurityDomain @PermitAll

scott.stark@jboss.org

2006-07-07



1.
because @SecurityDomain is jboss specific, is there a way to remove it from class code and keep just the standard @RolesAllowed?

i tried to remove it from source code and have in jboss.xml



  <security-domain>mobistax</security-domain>



after this, i dont get any security on bean methods.

2.
why is authentication-authorization required for method s with @PermitAll???
there are methods called even before users and roles are created.

one work around is moving these methods to a class with no @SecurityDomain tag. this is bad if you want to keep logical grouping of methods in classes

the other work around is to have a dummy role for these methods and pass a dummy username and password. but this unnecessary code.

in my opinion, this is a bug.

@PermitAll methods should not need any security credentials associated with thread. No authentication and authorization shoud be done.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956109#3956109

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3956109

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
JBoss-user mailing list
JBoss-user@(protected)
https://lists.sourceforge.net/lists/listinfo/jboss-user
©2008 junlu.com - Jax Systems, LLC, U.S.A.