Security annotations not working in 5.0.0.Beta3
I'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:
@SecurityDomain("simple-security-domain")
@RolesAllowed( { "bank-manager", "teller" })
@Stateless
public class StatelessCalculatorBean implements Calculator, CalculatorRemote {
@EJB(beanName = "InterestRateMBean")
private InterestRateManager interstRateManager;
public double calculateTotalInterest(double presentValue, int years) {
return calculateFutureValue(presentValue, years) - presentValue;
}
@RolesAllowed("teller")
public double calculateFutureValue(double presentValue, int years) {
double interestRate = interstRateManager.getInterestRate() / 100;
return presentValue * Math.pow((1.0 + interestRate), years);
}
@RolesAllowed("bank-manager")
public double getInterestRate() {
return interstRateManager.getInterestRate();
}
@DenyAll
public String getTheAnswerToLifeTheUniverseAndEverything() {
return "42";
}
@PermitAll
public String freeForAll() {
return "You're in!";
}
}Here are my roles:
admin=bank-manager,teller bank-manager=bank-manager teller=teller joe=customer
Here is what happens when I try to access the various methods from a standalone client:
-------------------------------------------- User: admin, Roles: bank-manager, teller -------------------------------------------- admin could call calculateFutureValue (requires 'teller') admin could call calculateTotalInterest (requires 'bank-manager' or 'teller') admin could call getInterestRate (requires 'bank-manager') admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized admin could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: bank-manager, Roles: bank-manager -------------------------------------------- bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller') bank-manager could call getInterestRate (requires 'bank-manager') bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized bank-manager could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: teller, Roles: teller -------------------------------------------- teller could call calculateFutureValue (requires 'teller') teller could call calculateTotalInterest (requires 'bank-manager' or 'teller') teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized teller could not call freeForAll (PermitAll) - Caller unauthorized -------------------------------------------- User: joe, Roles: customer -------------------------------------------- joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized joe could call calculateTotalInterest (requires 'bank-manager' or 'teller') joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized joe could not call freeForAll (PermitAll) - Caller unauthorized
There are two problems (bugs?):
1) Permit all does not work for any of the roles
2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access.
Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs.
