3 Replies Latest reply on May 14, 2007 10:54 AM by Anil Saldanha

    User friendly warning when @PermitAll and unauthenticatedPri

    Carlo de Wolf Master

      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=107702

      I think we could use a warning message if we spot a @PermitAll without an unauthenticatedPrincipal and we don't get supplied with a principal from the caller. Any objections?

        • 1. Re: User friendly warning when @PermitAll and unauthenticate
          Anil Saldanha Master

          Right way: do not force the user to always have an unauth annotation in his beans. He can specify the unauth identity in any of the following:
          a) Security Domain
          b) jboss.xml
          c) jboss-app.xml

          I would prefer the @UI injection that you do for @SD. I am not a big fan of custom annotations. I like ur injection stuff.

          A log.trace should be done for the warning message.

          Carlo de Wolf wrote:
          > Thought as much. Hmm, I think we could use a warning message if we spot
          > a @PermitAll without an unauthenticatedPrincipal and we don't get
          > supplied with a principal from the caller. Any objections?
          >
          > Carlo
          >
          > On Wed, 2007-05-02 at 08:40 -0700, Scott M Stark wrote:
          >
          >> Unchecked applies to the allowed roles. By default it still needs an
          >> authenticated user. If you don't want that, don't annotate the method
          >> with a permission, or setup the security domain to allow unauthenticated
          >> users. Without such a distinction, the @PermitAll annotation is meaningless.
          >>
          >> Anil Saldhana wrote:
          >>
          >>> So if the user does not provide any username/principal, then the
          >>> unauthenticatedIdentity setting (if present) will kick in.
          >>>
          >>> Anil Saldhana wrote:
          >>>
          >>>> That is because Scott thinks that any unchecked method should not be
          >>>> totally open to the world. Only authenticated principals should have
          >>>> access.
          >>>>
          >>>> Carlo de Wolf wrote:
          >>>>
          >>>>> Do either one of you know why a @PermitAll requires an
          >>>>> unauthenticatedPrincipal (on SecurityDomain)?
          >>>>> I want the answer beyond: TCK requires AuthorizationInterceptors. :-)
          >>>>>
          >>>>> Carlo

          • 2. Re: User friendly warning when @PermitAll and unauthenticate
            Carlo de Wolf Master

            Or maybe we should have a sensible default as unauthenticatedPrincipal? ('guest' or 'anonymous')
            That's more in spirit with JavaEE 5.

            • 3. Re: User friendly warning when @PermitAll and unauthenticate
              Anil Saldanha Master

              The default should be coming from a central location for ejb2 and ejb3. For JBoss5, I think it will come from the security deployer as specified in the following discussion.
              http://www.jboss.com/index.html?module=bb&op=viewtopic&t=106897

              Of course, the server will ship with a default.

              For 4.2, I guess the default should come from the JaasSecurityManagerService.