5 Replies Latest reply on Sep 23, 2011 8:53 AM by jaikiran pai

    JBoss AS7 EJB Security Problems

    ccob Newbie



      We have recently upgraded our JBoss infastructure within development to JBoss AS7 from v6.  We are in the middle of writing a Statless EJB based web service.  The web service uses the CXF stack paired with WS-Security using a custom authenticating interceptor based off the SubjectCreatingInterceptor to tie in PicketBox authentication with WS-Securtiy.


      The custom WS-Security interceptor works fine and authenticates correctly using the configured security domain inside standalone.xml (which we are currently using the Database module)


      Now here is where the problems start.  In JBoss 6 it worked fine using the @SecurityDomain annotation on our EJB from org.jboss.ejb3.annotation which since has been removed from JBoss AS7.  Now the only other @SecurityDomain annotation I can find is the one from PicketBox org.jboss.security.annotations.


      When we use this annotation, EJB based security is non existent on the EJB, so the @RolesAllowed annotation is also ignore and the EJB methods can be called by anyone regardless of the WS-Security interceptor.


      Is there anything special that needs to be done for the org.jboss.security.annotations.SecurtiyDomain to work when used with an EJB.