Security annotations not working in 5.0.0.Beta3
javidjamae Jan 25, 2008 11:38 AMI'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:
@SecurityDomain("simple-security-domain") @RolesAllowed( { "bank-manager", "teller" }) @Stateless public class StatelessCalculatorBean implements Calculator, CalculatorRemote { @EJB(beanName = "InterestRateMBean") private InterestRateManager interstRateManager; public double calculateTotalInterest(double presentValue, int years) { return calculateFutureValue(presentValue, years) - presentValue; } @RolesAllowed("teller") public double calculateFutureValue(double presentValue, int years) { double interestRate = interstRateManager.getInterestRate() / 100; return presentValue * Math.pow((1.0 + interestRate), years); } @RolesAllowed("bank-manager") public double getInterestRate() { return interstRateManager.getInterestRate(); } @DenyAll public String getTheAnswerToLifeTheUniverseAndEverything() { return "42"; } @PermitAll public String freeForAll() { return "You're in!"; } }
Here are my roles:
admin=bank-manager,teller bank-manager=bank-manager teller=teller joe=customer
Here is what happens when I try to access the various methods from a standalone client:
-------------------------------------------- User: admin, Roles: bank-manager, teller -------------------------------------------- admin could call calculateFutureValue (requires 'teller') admin could call calculateTotalInterest (requires 'bank-manager' or 'teller') admin could call getInterestRate (requires 'bank-manager') admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized admin could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: bank-manager, Roles: bank-manager -------------------------------------------- bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller') bank-manager could call getInterestRate (requires 'bank-manager') bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized bank-manager could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: teller, Roles: teller -------------------------------------------- teller could call calculateFutureValue (requires 'teller') teller could call calculateTotalInterest (requires 'bank-manager' or 'teller') teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized teller could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: joe, Roles: customer -------------------------------------------- joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized joe could call calculateTotalInterest (requires 'bank-manager' or 'teller') joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized joe could not call freeForAll (PermitAll) - Caller unauthorized
There are two problems (bugs?):
1) Permit all does not work for any of the roles
2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access.
Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs.