'Wildfly 10 security annotation RolesAllowed not working

There are ejb security annotations in the bean class when called with postman they are not applied.

On the class :

@Stateless
@LocalBean
@SecurityDomain("newservice")
@Path("/configuration/parammapping")
@RolesAllowed({ "GlobalManageRole"})
public class ParamMappingService extends GenericService {

On the method :

@POST
@Path("testTransformScript")
@Produces({ "application/json" })
@RolesAllowed({ "GlobalManageRole"})
public TransformScriptResponse testTransformScript(TransformScriptInfo scriptInfo) {

security-domain in the standalone.xml

<security-domain name="newservice">
  <authentication>
     <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName" value="java:/jdbc/com.supportsoft.encore.default_datasource"/>
       <module-option name="principalsQuery" value="SELECT ......."/>
       <module-option name="rolesQuery" value="SELECT ...... "/>
       <module-option name="hashCharset" value="UTF-8"/>
       <module-option name="hashAlgorithm" value="SHA"/>
       <module-option name="hashEncoding" value="base64"/>
       <module-option name="unauthenticatedIdentity" value="guest"/>
     </login-module>
  </authentication>
</security-domain>

In the server log i can see the roles are scanned for local and remote :

022-03-02 03:56:34,285 TRACE [org.jboss.security] (MSC service thread 1-5) PBOX00310: addToRole, permission: ("javax.security.jacc.EJBMethodPermission" "ParamMappingService" "testTransformScript,Remote,rws.json.configuration.TransformScriptInfo")[Remote:testTransformScript(rws.json.configuration.TransformScriptInfo)]
2022-03-02 03:56:34,286 TRACE [org.jboss.security] (MSC service thread 1-5) PBOX00337: nextState for action addToRole: open
2022-03-02 03:56:34,286 TRACE [org.jboss.security] (MSC service thread 1-5) PBOX00310: addToRole, permission: ("javax.security.jacc.EJBMethodPermission" "ParamMappingService" "testTransformScript,Local,rws.json.configuration.TransformScriptInfo")[Local:testTransformScript(rws.json.configuration.TransformScriptInfo)]

But when i call the endpoint with postman, i only see this in the log and no security is applied

PBOX00354: Setting security roles ThreadLocal: null

what should i do to deny postman or direct http request call?

javaejbwildflywildfly-10


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions