Description of problem:

It's not possible to call "non-published" operations (those that are not visible in the resource tree, e.g. "describe") via JMX, while it's entirely possible to call them via CLI (e.g. "/subsystem=security:describe") and other management interfaces.

The problem lies in the fact that "ModelControllerMBeanHelper.invoke" method checks "if (!accessControl.isExecutableOperation(operationName))" and the "isExecutableOperation" method assumes that the operation will be visible in the resource tree. In fact, there is a comment stating "should not happen", but now we know that it indeed _can_ happen.

What's more, it gives a misleading error message. The "isExecutableOperation" returns "false" for unknown operations, which results in "Not authorized to invoke operation" message. Which is wrong in two different ways simultaneously: 1. the problem isn't authorization, but the fact that the operation can't be found; 2. the user (e.g. in the SuperUser role) is authorized.

I'm considering this low priority, because 1. JMX is likely to be very rarely used to access the management interface, 2. hiding information isn't nearly as important as leaking them, 3. non-published operations aren't nearly as important as the published ones.

Version-Release number of selected component (if applicable):

6.2.0.ER6

How reproducible:

Always

Steps to Reproduce:
1. Start EAP in standalone mode
2. Try to invoke the equivalent of "/subsystem=security:describe" via JMX programmatically against the running EAP

Actual results:

JBAS011363: Not authorized to invoke operation: 'describe'

Expected results:

The equivalent of the result in CLI.