0 Replies Latest reply: Jan 30, 2012 10:44 AM by method_ben_qc RSS

SecurityDomain - @RolesAllowed annotation doesn't work.

method_ben_qc Newbie



I have an EJB-based Web Service like this:


import javax.ejb.Stateless;

import javax.jws.WebMethod;

import javax.jws.WebParam;

import javax.jws.WebService;

import org.jboss.ejb3.annotation.SecurityDomain;

import org.jboss.ws.api.annotation.WebContext;

import javax.annotation.security.RolesAllowed;


@Stateless(name = "TestService")

@SecurityDomain(value = "WebServiceDatabaseAuth")

@WebContext(contextRoot = "/internal/MyDomain", urlPattern = "/TestService", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)

@WebService(serviceName = "TestService", targetNamespace = "urn:com:mytest:si")

@RolesAllowed( { "Role1","Role2" })


public class TestServiceBean



     @RolesAllowed( { "Role1" })

     public void testMethod()





I have two users:


- user1 who has role Role1 then he can access to the WSDL and the method.

- user2 who has role Role2 then he can access to the WSDL only.


If I call the wsdl (http://localhost:8080/internal/MyDomain/TestService?WSDL) with user1, I can access to the wsdl definition and call testMethod(). But if I call the wsdl with user2, I get a HTTP Status 403 - Access to the requested resource has been denied. I'm not able to get the wsdl definition if I use the user2 and I don't understand why? I'm migrating from JBoss 4.2.3 to 7.0.2 and I didn't have this problem before. I double checked my security subsystem configuration in my standalone.xml and every thing is ok. I think the authentication is good but the authorization doesn't seem to work correctly.


But, if I change @RolesAllowed of testMethod() to:



     @RolesAllowed( { "Role1", "Role2" })

     public void testMethod()




Then I can get the wsdl definition with user2.


Anybody have an explication


Thank you.