2 Replies Latest reply on Jan 25, 2008 1:15 PM by Javid Jamae

    Security annotations not working in 5.0.0.Beta3

    Javid Jamae Newbie

      I'm trying to call an EJB with security annotations set on it, but only some of them work properly. Here is the EJB that I have:

      @SecurityDomain("simple-security-domain")
      @RolesAllowed( { "bank-manager", "teller" })
      @Stateless
      public class StatelessCalculatorBean implements Calculator, CalculatorRemote {
      
       @EJB(beanName = "InterestRateMBean")
       private InterestRateManager interstRateManager;
      
       public double calculateTotalInterest(double presentValue, int years) {
       return calculateFutureValue(presentValue, years) - presentValue;
       }
      
       @RolesAllowed("teller")
       public double calculateFutureValue(double presentValue, int years) {
       double interestRate = interstRateManager.getInterestRate() / 100;
       return presentValue * Math.pow((1.0 + interestRate), years);
       }
      
       @RolesAllowed("bank-manager")
       public double getInterestRate() {
       return interstRateManager.getInterestRate();
       }
      
       @DenyAll
       public String getTheAnswerToLifeTheUniverseAndEverything() {
       return "42";
       }
      
       @PermitAll
       public String freeForAll() {
       return "You're in!";
       }
      
      }


      Here are my roles:
      admin=bank-manager,teller
      bank-manager=bank-manager
      teller=teller
      joe=customer
      


      Here is what happens when I try to access the various methods from a standalone client:

      --------------------------------------------
      User: admin, Roles: bank-manager, teller
      --------------------------------------------
      admin could call calculateFutureValue (requires 'teller')
      admin could call calculateTotalInterest (requires 'bank-manager' or 'teller')
      admin could call getInterestRate (requires 'bank-manager')
      admin could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
      admin could not call freeForAll (PermitAll) - Caller unauthorized
      --------------------------------------------
      User: bank-manager, Roles: bank-manager
      --------------------------------------------
      bank-manager could not call calculateFutureValue (requires 'teller') - Caller unauthorized
      bank-manager could call calculateTotalInterest (requires 'bank-manager' or 'teller')
      bank-manager could call getInterestRate (requires 'bank-manager')
      bank-manager could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
      bank-manager could not call freeForAll (PermitAll) - Caller unauthorized
      --------------------------------------------
      User: teller, Roles: teller
      --------------------------------------------
      teller could call calculateFutureValue (requires 'teller')
      teller could call calculateTotalInterest (requires 'bank-manager' or 'teller')
      teller could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
      teller could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
      teller could not call freeForAll (PermitAll) - Caller unauthorized
      --------------------------------------------
      User: joe, Roles: customer
      --------------------------------------------
      joe could not call calculateFutureValue (requires 'teller') - Caller unauthorized
      joe could call calculateTotalInterest (requires 'bank-manager' or 'teller')
      joe could not call getInterestRate (requires 'bank-manager') - Caller unauthorized
      joe could not call getTheAnswerToLifeTheUniverseAndEverything (DenyAll) - Caller unauthorized
      joe could not call freeForAll (PermitAll) - Caller unauthorized
      


      There are two problems (bugs?):

      1) Permit all does not work for any of the roles
      2) From my understanding, the class-level @RolesAllowed annotation should apply to all the methods that don't override this with their own method-level @RolesAllowed annotation. As seen in the output above, everybody was able to access calculateTotalInterest() even though only bank-manager and teller were supposed to have access.

      Has anybody else encountered this? I'll be glad to open a JIRA issue if these are bugs.