-
1. Re: Problem with security-domain on a Web + EJB application
Alexis Hassler wrote:
I'm playing with this example from Roberto Cortez : radcortez/wildfly-custom-login-module · GitHub . Tt's working fine.
I tried to make a few changes to reflect my application. For example, my EJBs aren't secured : no @RolesAllowed annotation. I forked the repo and removed the annotation on the EJB : hasalex/wildfly-custom-login-module · GitHub. Now, my EJB shouldn't be secured anymore.
That bean is still considered secure because of the security domain configuration on that bean as defined in your jboss-ejb3.xml wildfly-custom-login-module/src/test/resources/jboss-ejb3.xml at master · hasalex/wildfly-custom-login-module · GitHub. Now the method that you removed the @RolesAllowed from is considered a "method missing explicit security metadata" and they are treated in a very specific manner as explained in this documentation Securing EJBs - WildFly 8 - Project Documentation Editor. You can however change the behaviour of how they are treated as explained in that documentation.
-
2. Re: Problem with security-domain on a Web + EJB application
Thank you. Really helpful.
So when migrating from JBoss AS 7, I'll start with changing the value of the default-missing-method-permissions-deny-access property to false.