Bug 1072638 - @RolesAllowed declared at class level does not function as per spec
Summary: @RolesAllowed declared at class level does not function as per spec
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB, Security
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: EAP 6.4.0
Assignee: David M. Lloyd
QA Contact: Jan Martiska
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-05 00:44 UTC by dstephan
Modified: 2020-03-11 14:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 11:37:08 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-2988 Major Resolved Class-level @RolesAllowed does not affect inherited methods 2017-02-01 16:16:45 UTC

Description dstephan 2014-03-05 00:44:33 UTC
Description of problem:

I have an EJB session bean which I restrict access to using @RolesAllowed at the class level.

@Stateless
@DeclareRoles("READ_G")
@RolesAllowed({"READ_G"})
public class MySession extends AnotherStatelessSession implements MyRemote  {

This does seem to restrict access correctly to the methods defined within the sub class.  Any methods that are defined in the base class though are not secured using the roles defined within the tag.

This should not be the case as the spec states that when defining the RolesAllowed on a class, all members of that class will inherit the restriction, unless overriden by another method level annotation.

Comment 3 Dominik Pospisil 2014-09-10 11:37:08 UTC
Closing as the upstream issue has been rejected.

Stuart Douglas wrote:

It is basically the whole section. Basically class level annotations only apply to methods defined by the class, not to methods defined by the super class. The term 'all applicable business methods of the class' just means the methods that are declared on the class itself, not on any superclass. This applies to pretty much all EJB annotations, and is tested by the TCK.


Note You need to log in before you can comment on or make changes to this bug.