Alexis Hassler wrote:
I tried to make a few changes to reflect my application. For example, my EJBs aren't secured : no @RolesAllowed annotation. I forked the repo and removed the annotation on the EJB : hasalex/wildfly-custom-login-module · GitHub. Now, my EJB shouldn't be secured anymore.
That bean is still considered secure because of the security domain configuration on that bean as defined in your jboss-ejb3.xml wildfly-custom-login-module/src/test/resources/jboss-ejb3.xml at master · hasalex/wildfly-custom-login-module · GitHub. Now the method that you removed the @RolesAllowed from is considered a "method missing explicit security metadata" and they are treated in a very specific manner as explained in this documentation Securing EJBs - WildFly 8 - Project Documentation Editor. You can however change the behaviour of how they are treated as explained in that documentation.
Thank you. Really helpful.
So when migrating from JBoss AS 7, I'll start with changing the value of the default-missing-method-permissions-deny-access property to false.