I am trying to get @RolesAllowed to work but despite setting a user which does
NOT have the role "JournalAccountLogin" the web service method is allowed to be
called anyway. See below for what I have configured. From the client I use a
user which has the role "Journal JWS" so I can get past the
<security-constraints> definition in the web.xml, however this user does NOT
have the "JournalAccountLogin" role so when I try to call the login(...) method
I was expecting the call to not work but it does. Can anyone help with this?
WEB SERVICE
| @WebMethod
| @RolesAllowed("JournalAccountLogin")
| public Account login(...) { ... }
|
FILE web.xml
| <servlet-mapping>
| <servlet-name>AccountJws</servlet-name>
| <url-pattern>/bin/account.jws</url-pattern>
| </servlet-mapping>
| .
| .
| .
| <security-constraint>
| <display-name>secure and confidential</display-name>
| <web-resource-collection>
| <web-resource-name>All</web-resource-name>
| <url-pattern>/bin/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <description>Only Journal JWS role has
access</description>
| <role-name>Journal JWS</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description>Only HTTPS</description>
| <transport-guarantee>CONFIDENTIAL</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4177719#4177719
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4177719
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
