Issue Details (XML | Word | Printable)

Key: GLASSFISH-17162
Type: Bug Bug
Status: Closed Closed
Resolution: Works as designed
Priority: Major Major
Assignee: kumarjayanti
Reporter: ljnelson
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

JSR-250 not fully implemented--incomplete list of discoverable security roles

Created: 08/Aug/11 07:29 PM   Updated: 15/Nov/11 12:57 PM   Resolved: 15/Nov/11 12:57 PM
Component/s: security
Affects Version/s: 3.1.1
Fix Version/s: None

Time Tracking:
Not Specified

Tags: security community jacc jsr250
Participants: kumarjayanti, ljnelson and Nithya Ramakrishnan

 Description  « Hide

Ron Monzillo's standards-compliant recipe for getting a list of Java EE roles does not return the full set of roles that one would expect.

Specifically, in the absence of deployment descriptors of any kind, if an ear-contained EJB is marked only with a @RolesAllowed({ "superusers" }) annotation and not also with a @DeclareRoles({ "superusers" }) annotation, "superusers" is not returned as one of the application's roles.

More specifically, in such a case an EJBRoleRefPermission for "superusers" is not made available to the JACC policy provider as it should be.

I think this is either a violation of JSR-250 or of the JACC specification. I am not sure which.

Sort Order: Ascending order - Click to sort in descending order
Nithya Ramakrishnan made changes - 15/Nov/11 12:57 PM
Field Original Value New Value
Status Open [ 1 ] Closed [ 6 ]
Resolution Works as designed [ 7 ]