Methods without Security Domain but with RolesAllowed, PermitAll, DenyAll, RunAs, RunAsPrincipal default to security domain other in JBoss EAP 6.1

Solution Verified - Updated -

Issue

  • We have not enabled any security at individual EJB or method level. What is recommendation, because we came across JBOSS 7.2.X article (like Securing EJBs) that claims that

"Starting, JBoss AS 7.2.x, the presence of any security metadata (like @RolesAllowed, @PermitAll, @DenyAll, @RunAs, @RunAsPrincipal) on the bean or any business method of the bean, makes the bean secure, even in the absence of an explicitly configured security domain. In such cases, the security domain name is default to "other". Users can explicitly configure an security domain for the bean if they want to using either the annotation or deployment descriptor approach explained earlier."

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content