2 Replies Latest reply on Oct 8, 2014 3:45 AM by Markus Schwarz

    Anonymous access to SLSB having a security domain

    Markus Schwarz Newbie

      Hi guys,

      I have following scenario...

       

      SLSB with a security domain:

      @Stateless
      @SecurityDomain("mySD")
      public class MyFacadeServiceBean { ... }
      
      

       

      standalon.xml looks like (The other security domain is by default in the standalone.xml):

      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                                 <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      ...
                      <security-domain name="mySD" cache-type="default">
                          <authentication>
                              <login-module code="UsersRoles" flag="required">
                                  ...
                              </login-module>
                          </authentication>
                      </security-domain>
      
      

       

      And we have a rest service which invokes a method in the SLSB (this is just in short what is done there):

      ...
      SecurityContext sc =...;
      if (sc != null) {
        SecurityContextAssociation.setSecurityContext(sc);
      }
      ...
      MyFacadeServiceBean.callMethod(...);
      ....
      
      

       

      In general all works fine. If user with correct credentials uses this rest service, the method is called. If a user with invalid credentials is using this rest service, an invalid user error is thrown.

       

      What I don't understand is:

      If you call the rest service without a user (sc will be null in this case), the method is invoked successfully. Looking at the principal in this case, you see, it is anonymous. Calling SecurityContextAssociation.getSecurityContext() retruns a security context for security domain other. So why is it in this case possible to invoke the method in the SLSB, because we annotated it with SecurityDomain("mySD"), I thought this shouldn't be possible in this case. What is wrong here? I think its an configuration issue.

       

      Removing the security-domain "other" will not work, because other stuff called from somewhere else will not work in this case.

       

      Maybe I have a wrong understanding of the security domains and security realms!

       

      Regards, Markus