Anonymous access to SLSB having a security domain
Hi guys,
I have following scenario...
SLSB with a security domain:
@Stateless
@SecurityDomain("mySD")
public class MyFacadeServiceBean { ... }
standalon.xml looks like (The other security domain is by default in the standalone.xml):
<security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> ... <security-domain name="mySD" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> ... </login-module> </authentication> </security-domain>
And we have a rest service which invokes a method in the SLSB (this is just in short what is done there):
...
SecurityContext sc =...;
if (sc != null) {
SecurityContextAssociation.setSecurityContext(sc);
}
...
MyFacadeServiceBean.callMethod(...);
....
In general all works fine. If user with correct credentials uses this rest service, the method is called. If a user with invalid credentials is using this rest service, an invalid user error is thrown.
What I don't understand is:
If you call the rest service without a user (sc will be null in this case), the method is invoked successfully. Looking at the principal in this case, you see, it is anonymous. Calling SecurityContextAssociation.getSecurityContext() retruns a security context for security domain other. So why is it in this case possible to invoke the method in the SLSB, because we annotated it with SecurityDomain("mySD"), I thought this shouldn't be possible in this case. What is wrong here? I think its an configuration issue.
Removing the security-domain "other" will not work, because other stuff called from somewhere else will not work in this case.
Maybe I have a wrong understanding of the security domains and security realms!
Regards, Markus
