Anonymous access to SLSB having a security domain
markusschwarz Sep 30, 2014 2:54 AMHi guys,
I have following scenario...
SLSB with a security domain:
@Stateless @SecurityDomain("mySD") public class MyFacadeServiceBean { ... }
standalon.xml looks like (The other security domain is by default in the standalone.xml):
<security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> ... <security-domain name="mySD" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> ... </login-module> </authentication> </security-domain>
And we have a rest service which invokes a method in the SLSB (this is just in short what is done there):
... SecurityContext sc =...; if (sc != null) { SecurityContextAssociation.setSecurityContext(sc); } ... MyFacadeServiceBean.callMethod(...); ....
In general all works fine. If user with correct credentials uses this rest service, the method is called. If a user with invalid credentials is using this rest service, an invalid user error is thrown.
What I don't understand is:
If you call the rest service without a user (sc will be null in this case), the method is invoked successfully. Looking at the principal in this case, you see, it is anonymous. Calling SecurityContextAssociation.getSecurityContext() retruns a security context for security domain other. So why is it in this case possible to invoke the method in the SLSB, because we annotated it with SecurityDomain("mySD"), I thought this shouldn't be possible in this case. What is wrong here? I think its an configuration issue.
Removing the security-domain "other" will not work, because other stuff called from somewhere else will not work in this case.
Maybe I have a wrong understanding of the security domains and security realms!
Regards, Markus