@RolesAllowed declared at class level does not function as per spec in EAP6
Issue
I have an EJB session bean which I restrict access to using @RolesAllowed at the class level.
@Stateless
@DeclareRoles("READ_G")
@RolesAllowed({"READ_G"})
public class MySession extends AnotherStatelessSession implements MyRemote{
This does seem to restrict access correctly to the methods defined within the .java file. Any methods that are defined in the base class though are not secured using the roles defined within the tag.
This should not be the case as the spec states that when defining the RolesAllowed on a class, all members of that class will inherit the restriction, unless overriden by another method level annotation.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.2.1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
