Bug 1206657

Summary: [GSS](6.4.z) WFLY-2129 / WFLY-3988 - Fix @PermitAll applied on class level & no class level of JAX-WS EJB Endpoint to to enable authorization security
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: William Antônio <wsiqueir>
Component: Web ServicesAssignee: Ivo Studensky <istudens>
Status: CLOSED CURRENTRELEASE QA Contact: Rostislav Svoboda <rsvoboda>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bmaxwell, istudens, jawilson
Target Milestone: CR1   
Target Release: EAP 6.4.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 10:35:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1231259    

Description William Antônio 2015-03-27 16:24:44 UTC 
Description of problem:

---

This is a Bugzillato have WFLY-3988 in EAP: https://issues.jboss.org/browse/WFLY-3988

---


Given this endpoint:

@Stateless

@WebService(endpointInterface="com.redhat.gss.SecureEndpoint")

@DeclareRoles({"a","b"})

@WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")

public class SecureEndpointE implements SecureEndpoint {

  @RolesAllowed({"a"})

  public String a() {

    return "Success";

  }

 

  @RolesAllowed({"b"})

  public String b() {

    return "Success";

  }

 

  @PermitAll

  public String c() {

    return "Success";

  }

}

One would expect any authenticated user to be able to invoke c(), but only users with a role found in @DeclareRoles can invoke it.
Comment 4 Rostislav Svoboda 2015-07-21 14:24:34 UTC 
qa_acking for the stuff mentioned in Comment 1
Comment 5 Rostislav Svoboda 2015-08-03 14:37:42 UTC 
Verified on EAP 6.4.3 CP CR1 - in conjunction with comment 1

Tested with endpoint defined like this:
@Stateless
@SecurityDomain("ejb3-test-security-domain")
public class EJBEndpoint implements EJBEndpointIface {
...  
}

No definition of@DeclareRoles or permissions like @RolesAllowed / @PermitAll on class level.
Permissions are defined on method level.
Comment 6 Petr Penicka 2017-01-17 10:35:58 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.