1206657 – [GSS](6.4.z) WFLY-2129 / WFLY-3988 - Fix @PermitAll applied on class level & no class level of JAX-WS EJB Endpoint to to enable authorization security

Bug 1206657 - [GSS](6.4.z) WFLY-2129 / WFLY-3988 - Fix @PermitAll applied on class level & no class level of JAX-WS EJB Endpoint to to enable authorization security

Summary: [GSS](6.4.z) WFLY-2129 / WFLY-3988 - Fix @PermitAll applied on class level & ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web Services
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	CR1
Target Release:	EAP 6.4.3
Assignee:	Ivo Studensky
QA Contact:	Rostislav Svoboda
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1231259
TreeView+	depends on / blocked

Reported:	2015-03-27 16:24 UTC by William Antônio
Modified:	2019-05-20 11:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-01-17 10:35:58 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-2129	0	Major	Resolved	@WebContext on EJB, results in Web Service endpoints that doesn't honor neither method-level authorization nor general a...	2016-06-30 06:11:30 UTC
Red Hat Issue Tracker	WFLY-3988	0	Major	Resolved	Authorization denied for authenticated users when @PermitAll is used on EJB JAX-WS endpoint	2016-06-30 06:11:30 UTC

Description William Antônio 2015-03-27 16:24:44 UTC

Description of problem:

---

This is a Bugzillato have WFLY-3988 in EAP: https://issues.jboss.org/browse/WFLY-3988

---


Given this endpoint:

@Stateless

@WebService(endpointInterface="com.redhat.gss.SecureEndpoint")

@DeclareRoles({"a","b"})

@WebContext(contextRoot="/endpoint",urlPattern="/e",authMethod="BASIC")

public class SecureEndpointE implements SecureEndpoint {

  @RolesAllowed({"a"})

  public String a() {

    return "Success";

  }

 

  @RolesAllowed({"b"})

  public String b() {

    return "Success";

  }

 

  @PermitAll

  public String c() {

    return "Success";

  }

}

One would expect any authenticated user to be able to invoke c(), but only users with a role found in @DeclareRoles can invoke it.

Comment 4 Rostislav Svoboda 2015-07-21 14:24:34 UTC

qa_acking for the stuff mentioned in Comment 1

Comment 5 Rostislav Svoboda 2015-08-03 14:37:42 UTC

Verified on EAP 6.4.3 CP CR1 - in conjunction with comment 1

Tested with endpoint defined like this:
@Stateless
@SecurityDomain("ejb3-test-security-domain")
public class EJBEndpoint implements EJBEndpointIface {
...  
}

No definition of@DeclareRoles or permissions like @RolesAllowed / @PermitAll on class level.
Permissions are defined on method level.

Comment 6 Petr Penicka 2017-01-17 10:35:58 UTC

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Note You need to log in before you can comment on or make changes to this bug.