2 Replies Latest reply on Jan 14, 2015 7:10 AM by valsaraj007

Securing EJBs in WildFly

valsaraj007 Jan 14, 2015 6:04 AM

Hi,

I am migrating from an old version to WildFly. In my old version EJBs are secured as follows:

jboss.xml:

<jboss>

<security-domain>java:/jaas/ldap</security-domain>

Some EJBs won't have any annotations.

Some of them are annotted like @RolesAllowed, @PermitAll, @DenyAll, @RunAs.

When I migarted to WildFly:

jboss-ejb3.xml:

<s:security>

<ejb-name>*</ejb-name>

<s:security-domain>ldap</s:security-domain>

</s:security>

Some EJBs won't have any annotations.

Some of them are annotted like @RolesAllowed, @PermitAll, @DenyAll, @RunAs.

But the problem is that even if the EJBs won't have anything like @RolesAllowed, @PermitAll, @DenyAll, @RunAs, they are secured and getting EJBAccessException.

Should I remove <security-domain> from jboss-ejb3.xml deployment descriptor and set it using @SecurityDomain annotation on the EJBs that are annotted like @RolesAllowed, @PermitAll, @DenyAll, @RunAs?

Please suggest best method to apply this in WildFly.

Thanks in advance!

1. Re: Securing EJBs in WildFly

dnovo Jan 14, 2015 6:16 AM (in response to valsaraj007)

i'm not sure if is this what you want

In subsystem ejb3

<subsystem xmlns="urn:jboss:domain:ejb3:2.0">

You can set

<default-missing-method-permissions-deny-access value="false"/>

Default is true.
Actions
2. Re: Securing EJBs in WildFly

valsaraj007 Jan 14, 2015 7:10 AM (in response to dnovo)

Thanks Daniel.
It is controlled via the jboss-ejb3.xml deployment descriptor at a per deployment level as follows:

<s:security>

<ejb-name>*</ejb-name>

<s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>

<s:security-domain>ldap</s:security-domain>

</s:security>

1 of 1 people found this helpful
Actions

Go to original post