I don't know what I'm doing wrong - I need some help:
I like to use declarative role check on EJBs with @RolesAllowed
I've a simple war, with security enabled (I startet with following example https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules).
Facelets, JSPs and servlets are protected, request.isUserInRole() works fine.
Then, I wrote an EJB (within the war) - injected the EJB in a servlet - called an EJBs method in the war - all works fine.
Then, I added @RolesAllowed with a role the authenticated user does not have, but the method is also successfully called.
And EJBContext getCallerPrincipal returns "anonymous" (and not the authenticated principal)
How can I propagate webapps principal/roles to EJB level?
(I also tried to put @SecurityDomain(value = "form-auth") in the EJB - but nothing changed)
Thanks