2 Replies Latest reply on Jul 9, 2006 10:15 PM by kgrjb

    problems with @SecurityDomain @PermitAll

    kgrjb


      1.
      because @SecurityDomain is jboss specific, is there a way to remove it from class code and keep just the standard @RolesAllowed?

      i tried to remove it from source code and have in jboss.xml



      <security-domain>mobistax</security-domain>



      after this, i dont get any security on bean methods.

      2.
      why is authentication-authorization required for method s with @PermitAll???
      there are methods called even before users and roles are created.

      one work around is moving these methods to a class with no @SecurityDomain tag. this is bad if you want to keep logical grouping of methods in classes

      the other work around is to have a dummy role for these methods and pass a dummy username and password. but this unnecessary code.

      in my opinion, this is a bug.

      @PermitAll methods should not need any security credentials associated with thread. No authentication and authorization shoud be done.