11 Replies Latest reply: Sep 12, 2012 5:56 AM by Robert Brendler RSS

@javax.annotation.security.RolesAllowed on EJBs does not work

herb Newbie

I don't know what I'm doing wrong - I need some help:

 

I like to use declarative role check on EJBs with @RolesAllowed

 

I've a simple war, with security enabled (I startet with following example https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules).

Facelets, JSPs and servlets are protected, request.isUserInRole() works fine.

 

Then, I wrote an EJB (within the war) - injected the EJB in a servlet - called an EJBs method in the war - all works fine.

Then, I added @RolesAllowed with a role the authenticated user does not have, but the method is also successfully called.

EJBContext getCallerPrincipal returns the correct (authenticated) principal, and isCallerInRole() works fine, but not RolesAllowed

 

(I also tried to put @SecurityDomain(value = "form-auth") in the EJB - but nothing changed)

 

(I'm runng 7.1.0CR1b)

 

Thanks