[GLASSFISH-17162] JSR-250 not fully implemented--incomplete list of discoverable security roles Created: 08/Aug/11  Updated: 15/Nov/11  Resolved: 15/Nov/11

Status: Closed
Project: glassfish
Component/s: security
Affects Version/s: 3.1.1
Fix Version/s: None

Type: Bug Priority: Major
Reporter: ljnelson Assignee: kumarjayanti
Resolution: Works as designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Tags: community, jacc, jsr250, security


Ron Monzillo's standards-compliant recipe for getting a list of Java EE roles does not return the full set of roles that one would expect.

Specifically, in the absence of deployment descriptors of any kind, if an ear-contained EJB is marked only with a @RolesAllowed(

{ "superusers" }) annotation and not also with a @DeclareRoles({ "superusers" }

) annotation, "superusers" is not returned as one of the application's roles.

More specifically, in such a case an EJBRoleRefPermission for "superusers" is not made available to the JACC policy provider as it should be.

I think this is either a violation of JSR-250 or of the JACC specification. I am not sure which.

Comment by Nithya Ramakrishnan [ 24/Oct/11 ]

Is there a reproducible test case for this issue? Does isUserInRole() work for superusers as expected?

Comment by Nithya Ramakrishnan [ 15/Nov/11 ]

Since we havent got a response about the specific use case, from the description, the situation is as per design.

Generated at Fri Mar 24 20:52:39 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.