2 Replies Latest reply on Feb 21, 2014 6:01 AM by daniell

    Class-level @RolesAllowed does not affect inherited methods

    daniell
    daniell Feb 14, 2014 5:17 AM

      Basically I have an EJB which derives from a base class. At the EJB itself there is an @RolesAllowed annotation. With this annotation all methods which are implemented directly in the class can be accessed when the caller has the appropriate role. But when he tries to call a method which has been implemented in the base class, access is denied.

      As an example, here are two classes:

      public abstract class BaseClass {
    public long getCount() { /* implementation */ }
}

@Stateful
@RolesAllowed({"accessRole"})
public class ConcreteEJB extends BaseClass {
    public String getString() { /* implementation */ }
}

       

      In the according deployment-descriptor we have only the module-name defined:

      <ejb-jar ...>
  <module-name>my-module-name</module-name>
</ejb-jar>

       

      The security-domain comes from the standalone.xml which has

      <subsystem xmlns="urn:jboss:domain:ejb3:2.0">
  <!-- ... -->
  <default-security-domain value="emcs"/>
  <default-missing-method-permissions-deny-access value="true"/>
</subsystem>

      Of course, the used security-domain is defined somewhere else in the file.

       

      So if the remote-client logs in and gains the role accessRole, it is able to call getString, but not getCount seeing an error in the server-log:

      09:04:28,848 DEBUG [org.jboss.security] (EJB default - 2) PBOX000291: Method: getCount, interface: Remote, required roles: Roles(<NOBODY>,)
09:04:28,848 DEBUG [org.jboss.security] (EJB default - 2) PBOX000292: Insufficient method permissions [principal: integrationTestUser, EJB name: ConcreteEJB, method: getCount, interface: Remote, required roles: Roles(<NOBODY>,), principal roles: Roles(accessRole,), run-as roles: null]
09:04:28,849 DEBUG [org.jboss.security] (EJB default - 2) PBOX000299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed
09:04:28,849 DEBUG [org.jboss.security] (EJB default - 2) PBOX000325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX000017: Acces denied: authorization failed

       

      Reading the EJB 3.2 Spec which says

      Specifying the RolesAllowed or PermitAll or DenyAll annotation on the bean class means that

      it applies to all applicable business methods of the class.

      I would suggest that this should work. In addition it worked with JBoss AS 5.

       

      Extending the ejb-jar.xml works around this problem:

      <ejb-jar ...>
  <module-name>my-module-name</module-name>
  <assembly-descriptor>
    <method-permission>
      <role-name>accessRole</role-name>
      <method>
        <ejb-name>ConcreteEJB</ejb-name>
        <method-name>*</method-name>
      </method>
    </method-permission>
  </assembly-descriptor>
</ejb-jar>

       

      BTW: using Wildfly 8.0.0.Final