Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6465

(7.3.z) Security domain defined for web is used also for EJB even when for EJB is defined different one

XMLWordPrintable

    • Hide

      Start EAP with the attached standalone.xml
      Deploy the attached application (check roles.properties and roles2.properties in the deployment for admin user)
      Go to http://localhost:8080/defined-security-domain/user/securedEjb?explicitDomain=false which calls EJB method allowed only for users with Admin role.
      Log in using admin:admin. You should be prevented to get content from EJB as there is defined default-security security domain to be used for EJBs, which uses roles2.properties, where admin user is only in User role.

      Show
      Start EAP with the attached standalone.xml Deploy the attached application (check roles.properties and roles2.properties in the deployment for admin user) Go to http://localhost:8080/defined-security-domain/user/securedEjb?explicitDomain=false which calls EJB method allowed only for users with Admin role. Log in using admin:admin . You should be prevented to get content from EJB as there is defined default-security security domain to be used for EJBs, which uses roles2.properties, where admin user is only in User role.

      When I have defined security-domain in jboss-web.xml and also in jboss-ejb3.xml there is for EJB access via servlet used always the security domain defined in jboss-web.xml. This is different behavior in comparison to EAP 6, where there was used for EJBs its own security domain.

      For details see steps to reproduce.

        1. defined-security-domain.war
          16 kB
        2. standalone.xml
          22 kB

              rhn-cservice-bbaranow Bartosz Baranowski
              rhatlapa@redhat.com Radim Hatlapatka (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: