I have a SOAP WS that is created as a stateless EJB. Every thing is working fine except the following behavior:

Assuming that the WS has 3 methods A, B and C.

I added the @RolesAllowed annotation to each one of the three methods with different roles. The roles will be role-A, role-B and role-C accordingly.

Then, I have deployed the WS on JBoss 7.1.1 which is configured to check the users and their roles on the DB.

Now, If I need a user to access only method B I should give him role-B. Unfortunately he won't be able to access the method without giving him also role-A. This is also the case if I gave him only role-C.

It seems that the user must have the first role in order to access the other methods !!

I tried commenting method A with it's role and what happened is that the behavior have been move to role-B, i.e I should give the user role-B in order to be able to to access method C.

The other strange thing about this is whenever I try to invoke the WS from SoapUI with a user doesn't has the first role I receive the HTTP error that the user is not authorized to call the method and nothing is shown on the JBoss log. And if I invoked a method without it's role but with the first role only I receive an exception on JBoss log and the error is returned through SOAP fault that the user is not allowed to call the method.

I hope there is a rational explanation for this cause it really consumed a lot of my time.