Hi,

I am trying to use programmatic seurity for a Stateful Session Bean.

Here is my Statefule Session Bean.

@Stateful
@RolesAllowed("AUTHORIZED_TRAVEL_AGENT")
@DeclareRoles("CREATE_CABIN")

public class TravelAgentSecureBean implements TravelAgentRemote {

     public Cabin createCabin(String name, int deckLevel, int bedCount){
             Principal principal = sessionContext.getCallerPrincipal();
             System.out.println("Caller is=" + principal.getName());   
             Cabin cabin = null;
             if (sessionContext.isCallerInRole("CREATE_CABIN")) {
                 cabin = new Cabin(name, deckLevel, bedCount);
                 entityManager.persist(cabin);
             } else {
                 System.out.println("Sorry mate, you can't create a cabin!");
             }
             return cabin;
     }

}

Here is my Login-config.xml

<application-policy name="Titan">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UserRolesLoginModule"
        flag="required">
         <module-option name="usersProperties">props/user-titan.properties</module-option>
         <module-option name="rolesProperties">props/roles-titan.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

Here are the users.properties

admin=admin
breako=password

Here are the roles.properties

admin=AUTHORIZED_MERCHANT
breako=AUTHORIZED_TRAVEL_AGENT,CREATE_CABIN

My client uses the JBoss SecurityClient to logon.

When I run, the stateful session bean correctly identifies the principal so I am happy the SecurityClient is ok.

But it returns false for isUserInRole("CREATE_CABIN")????

Any ideas what I am missing?

Thanks...