0 Replies Latest reply on Mar 9, 2014 4:25 PM by Osama Felfel

    Strange behavior of @RolesAllowed in JBoss 7.1.1

    Osama Felfel Newbie

      I have a SOAP WS that is created as a stateless EJB. Every thing is working fine except the following behavior:

      Assuming that the WS has 3 methods A, B and C.

      I added the @RolesAllowed annotation to each one of the three methods with different roles. The roles will be role-A, role-B and role-C accordingly.

      Then, I have deployed the WS on JBoss 7.1.1 which is configured to check the users and their roles on the DB.

      Now, If I need a user to access only method B I should give him role-B. Unfortunately he won't be able to access the method without giving him also role-A. This is also the case if I gave him only role-C.

      It seems that the user must have the first role in order to access the other methods !!

      I tried commenting method A with it's role and what happened is that the behavior have been move to role-B, i.e I should give the user role-B in order to be able to to access method C.

      The other strange thing about this is whenever I try to invoke the WS from SoapUI with a user doesn't has the first role I receive the HTTP error that the user is not authorized to call the method and nothing is shown on the JBoss log. And if I invoked a method without it's role but with the first role only I receive an exception on JBoss log and the error is returned through SOAP fault that the user is not allowed to call the method.

      I hope there is a rational explanation for this cause it really consumed a lot of my time.