Bug 1072638
| Summary: | @RolesAllowed declared at class level does not function as per spec | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | dstephan |
| Component: | EJB, Security | Assignee: | David M. Lloyd <david.lloyd> |
| Status: | CLOSED NOTABUG | QA Contact: | Jan Martiska <jmartisk> |
| Severity: | urgent | Docs Contact: | Russell Dickenson <rdickens> |
| Priority: | urgent | ||
| Version: | 6.2.1 | CC: | cdewolf, chaowan, clichybi, dpospisi, dstephan, jcacek, kkhan |
| Target Milestone: | --- | ||
| Target Release: | EAP 6.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-10 11:37:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Closing as the upstream issue has been rejected. Stuart Douglas wrote: It is basically the whole section. Basically class level annotations only apply to methods defined by the class, not to methods defined by the super class. The term 'all applicable business methods of the class' just means the methods that are declared on the class itself, not on any superclass. This applies to pretty much all EJB annotations, and is tested by the TCK. |
Description of problem: I have an EJB session bean which I restrict access to using @RolesAllowed at the class level. @Stateless @DeclareRoles("READ_G") @RolesAllowed({"READ_G"}) public class MySession extends AnotherStatelessSession implements MyRemote { This does seem to restrict access correctly to the methods defined within the sub class. Any methods that are defined in the base class though are not secured using the roles defined within the tag. This should not be the case as the spec states that when defining the RolesAllowed on a class, all members of that class will inherit the restriction, unless overriden by another method level annotation.