5 Replies Latest reply on Mar 12, 2010 1:01 PM by jaikiran pai

    EJB3 security - Skip authorization for @PermiAll?

    jaikiran pai Master

      I was looking at a thread in the EJB3 forum which was talking about poor performance of a bean method invocation when the bean is marked with a @SecurityDomain, as compared to a similar bean without any @SecurityDomain. The bean is like this:


      @SecurityDomain(unauthenticatedPrincipal = "anonymous", value="other")
      @LocalBinding (jndiBinding=BeanWithSecurityDomain.JNDI_NAME)
      public class BeanWithSecurityDomain implements Ping
         public static final String JNDI_NAME = "SecurityDomainBean";
          * @see org.jboss.ejb3.test.perf.Ping#ping()
         public String ping()
            return "pong1";



      Notice the use of @PermitAll. In the EJB3 security related interceptor org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2 i notice that even if the class/method is marked for @PermitAll, the code leads to a authorization call:


       boolean isAuthorized = helper.authorize(ejbName, 
                                   new SimpleRoleGroup(methodRoles));


      The authorization call is expensive.


      My understanding of @PermitAll was that we would skip this authorization altogether. Is there any reason why we have to authorize even when the bean is marked for @PermitAll?