Right way: do not force the user to always have an unauth annotation in his beans. He can specify the unauth identity in any of the following:
a) Security Domain
I would prefer the @UI injection that you do for @SD. I am not a big fan of custom annotations. I like ur injection stuff.
A log.trace should be done for the warning message.
Carlo de Wolf wrote:
> Thought as much. Hmm, I think we could use a warning message if we spot
> a @PermitAll without an unauthenticatedPrincipal and we don't get
> supplied with a principal from the caller. Any objections?
> On Wed, 2007-05-02 at 08:40 -0700, Scott M Stark wrote:
>> Unchecked applies to the allowed roles. By default it still needs an
>> authenticated user. If you don't want that, don't annotate the method
>> with a permission, or setup the security domain to allow unauthenticated
>> users. Without such a distinction, the @PermitAll annotation is meaningless.
>> Anil Saldhana wrote:
>>> So if the user does not provide any username/principal, then the
>>> unauthenticatedIdentity setting (if present) will kick in.
>>> Anil Saldhana wrote:
>>>> That is because Scott thinks that any unchecked method should not be
>>>> totally open to the world. Only authenticated principals should have
>>>> Carlo de Wolf wrote:
>>>>> Do either one of you know why a @PermitAll requires an
>>>>> unauthenticatedPrincipal (on SecurityDomain)?
>>>>> I want the answer beyond: TCK requires AuthorizationInterceptors. :-)
Or maybe we should have a sensible default as unauthenticatedPrincipal? ('guest' or 'anonymous')
That's more in spirit with JavaEE 5.
The default should be coming from a central location for ejb2 and ejb3. For JBoss5, I think it will come from the security deployer as specified in the following discussion.
Of course, the server will ship with a default.
For 4.2, I guess the default should come from the JaasSecurityManagerService.