glassfish
  1. glassfish
  2. GLASSFISH-17162

JSR-250 not fully implemented--incomplete list of discoverable security roles

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Works as designed
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Ron Monzillo's standards-compliant recipe for getting a list of Java EE roles does not return the full set of roles that one would expect.

      Specifically, in the absence of deployment descriptors of any kind, if an ear-contained EJB is marked only with a @RolesAllowed(

      { "superusers" }) annotation and not also with a @DeclareRoles({ "superusers" }

      ) annotation, "superusers" is not returned as one of the application's roles.

      More specifically, in such a case an EJBRoleRefPermission for "superusers" is not made available to the JACC policy provider as it should be.

      I think this is either a violation of JSR-250 or of the JACC specification. I am not sure which.

        Activity

          People

          • Assignee:
            kumarjayanti
            Reporter:
            ljnelson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: