I have been using JBoss for quite a while and I'm just getting up to speed with 5.1.0GA since this is now the version in the EAP.
I have been experimenting in particular with EJB security and I'm just trying to see if the default EJB security behavior is different than in the past. According to my experiments it appears to be so I'm asking to see if I'm missing something.
In particular I'm looking at the <missing-method-permissions-excluded-mode> behavior.
If I have:
Web application tied to 'java:/jaas/other' security domain in jboss-web.xml
EJB module tied to 'java:/jaas/other' security domain in jboss.xml
@RolesAllowed annotations on two methods in an EJB but no other @RolesAllowed, @DenyAll, or @PermitAll annotations on any other methods.
Security works as expected on the methods with the @RolesAllowed annotations so that is not the issue. The issue is that the other methods do not get "locked down" or excluded even when the <missing-method-permissions-excluded-mode> value in jboss.xml or standardjboss.xml is set to true.
In previous versions of JBoss, unless you had methods or EJBs marked as "unchecked" they would get locked down when the EJB module is linked to a security domain. I always felt this behavior was good because it creates a very secure environment where you have to make a decision to allow access.
With JBoss 5.1 it seems like the default is to allow access to any EJB method unless it is explicitly locked down. This seems to be true even with the
<missing-method-permissions-excluded-mode> property in standardjboss.xml implying the opposite.
I have tried doing everything with ejb-jar.xml deployment descriptors and removing all annotations so I don't believe this is because of using annotations.
Based on my prior experience with EJB security in JBoss I was expecting to have to add a @PermitAll annotation at the EJB class level but even without this other EJB methods work with no problem.
All the behavior I've seen in several iterations of experiments is consistent if the <missing-method-permissions-excluded-mode> is simply ignored.
There is a JIRA issue that indicates this was not in the original standardjboss.xml file for JBoss 5.0 but that does not really mean that this setting is honored or changes the default security treatment of EJBs.
I can add some sample code and other comments later but I just wanted to get this question out there.
Web Age Solutions