-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
AD183 - EAP 7.0 2 20180124
-
None
-
9
-
ROLE
-
en-US (English)
URL:
Reporter RHNID:
Section: -
Language: en-US (English)
Workaround: I would explicitly point out the documentation on this: "If the RolesAllowed is specified at the class level and this annotation is applied at the method level, the PermitAll annotation overrides the RolesAllowed for the specified method." Better yet, point out that if you annotate at the method level, it will override the annotation at the class level, not just for this, but apparently for any security annotation.
Description: In the section Describing the JAAS Specification, there's a list of annotations and then a code example. In the code example, the third point is about @PermitAll, and reads:
The HelloWorld method is available to all roles, not just admin and qa.
This is, of course, correct. However, I feel we need to be much more explicit about the fact that at the class level, we've restricted the roles to admin and qa, and that this method level annotation just blew away that restriction. From the official docs:
"If the RolesAllowed is specified at the class level and this annotation is applied at the method level, the PermitAll annotation overrides the RolesAllowed for the specified method."
