-
1. Re: User friendly warning when @PermitAll and unauthenticate
anil.saldhana May 2, 2007 12:23 PM (in response to wolfc)Right way: do not force the user to always have an unauth annotation in his beans. He can specify the unauth identity in any of the following:
a) Security Domain
b) jboss.xml
c) jboss-app.xml
I would prefer the @UI injection that you do for @SD. I am not a big fan of custom annotations. I like ur injection stuff.
A log.trace should be done for the warning message.
Carlo de Wolf wrote:
> Thought as much. Hmm, I think we could use a warning message if we spot
> a @PermitAll without an unauthenticatedPrincipal and we don't get
> supplied with a principal from the caller. Any objections?
>
> Carlo
>
> On Wed, 2007-05-02 at 08:40 -0700, Scott M Stark wrote:
>
>> Unchecked applies to the allowed roles. By default it still needs an
>> authenticated user. If you don't want that, don't annotate the method
>> with a permission, or setup the security domain to allow unauthenticated
>> users. Without such a distinction, the @PermitAll annotation is meaningless.
>>
>> Anil Saldhana wrote:
>>
>>> So if the user does not provide any username/principal, then the
>>> unauthenticatedIdentity setting (if present) will kick in.
>>>
>>> Anil Saldhana wrote:
>>>
>>>> That is because Scott thinks that any unchecked method should not be
>>>> totally open to the world. Only authenticated principals should have
>>>> access.
>>>>
>>>> Carlo de Wolf wrote:
>>>>
>>>>> Do either one of you know why a @PermitAll requires an
>>>>> unauthenticatedPrincipal (on SecurityDomain)?
>>>>> I want the answer beyond: TCK requires AuthorizationInterceptors. :-)
>>>>>
>>>>> Carlo -
2. Re: User friendly warning when @PermitAll and unauthenticate
wolfc May 14, 2007 3:12 AM (in response to wolfc)Or maybe we should have a sensible default as unauthenticatedPrincipal? ('guest' or 'anonymous')
That's more in spirit with JavaEE 5. -
3. Re: User friendly warning when @PermitAll and unauthenticate
anil.saldhana May 14, 2007 10:54 AM (in response to wolfc)The default should be coming from a central location for ejb2 and ejb3. For JBoss5, I think it will come from the security deployer as specified in the following discussion.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=106897
Of course, the server will ship with a default.
For 4.2, I guess the default should come from the JaasSecurityManagerService.