5 Replies Latest reply on Mar 12, 2010 1:01 PM by jaikiran pai

    EJB3 security - Skip authorization for @PermiAll?

    jaikiran pai Master

      I was looking at a thread in the EJB3 forum which was talking about poor performance of a bean method invocation when the bean is marked with a @SecurityDomain, as compared to a similar bean without any @SecurityDomain. The bean is like this:

       

      @Stateless
      @Local(Ping.class)
      @SecurityDomain(unauthenticatedPrincipal = "anonymous", value="other")
      @PermitAll
      @LocalBinding (jndiBinding=BeanWithSecurityDomain.JNDI_NAME)
      public class BeanWithSecurityDomain implements Ping
      {
      
         public static final String JNDI_NAME = "SecurityDomainBean";
         
         /**
          * @see org.jboss.ejb3.test.perf.Ping#ping()
          */
         public String ping()
         {
            return "pong1";
         }
      
      }
      

       

       

      Notice the use of @PermitAll. In the EJB3 security related interceptor org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2 i notice that even if the class/method is marked for @PermitAll, the code leads to a authorization call:

       

       boolean isAuthorized = helper.authorize(ejbName, 
                                   mi.getMethod(), 
                                   sc.getUtil().getUserPrincipal(), 
                                   iface, 
                                   ejbCS, 
                                   sc.getUtil().getSubject(), 
                                   callerRunAs, 
                                   contextID,
                                   new SimpleRoleGroup(methodRoles));
      

       

      The authorization call is expensive.

       

      My understanding of @PermitAll was that we would skip this authorization altogether. Is there any reason why we have to authorize even when the bean is marked for @PermitAll?