[jboss-user] [EJB 3.0] - security declarations in ejb-jar.xml ignored?

[Daniel Lechner]

Daniel Lechner [http://community.jboss.org/people/daniell] replied to the discussion

"security declarations in ejb-jar.xml ignored?"

To view the discussion, visit: http://community.jboss.org/message/541742#541742

--------------------------------------------------------------
Ok - now I found out some interesting things:
The DAO object I want to protect extends another class.

1. If I add some method name in the ejb-jar.xml file, the access to this method is restricted as expected. No matter if this method is defined in the DAO class itself or inherited from some base class.
2. If I add the @RolesAllowed annotation to the DAO class, the access to every method (implemented and inherited ones) is restricted. 
3. If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!

I thought (and read in many books and articles) that @RolesAllowed on class level has the same meaning than using the * as method-name in the ejb-jar.xml, but obviously it has not. Is there something else I have to configure to get the desired behaviour (I don't want to use the annotations, but exclusively the xml-configuration)?

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/541742#541742]

Start a new discussion in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100507/3f563a15/attachment-0001.html