herb [https://community.jboss.org/people/herb] created the discussion "(a)javax.annotation.security.RolesAllowed on EJBs does not work" To view the discussion, visit: https://community.jboss.org/message/647847#647847 -------------------------------------------------------------- I don't know what I'm doing wrong - I need some help: I like to use declarative role check on EJBs with @RolesAllowed I've a simple war, with security enabled (I startet with following example https://community.jboss.org/docs/DOC-17357 https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules). Facelets, JSPs and servlets are protected, request.isUserInRole() works fine. Then, I wrote an EJB (within the war) - injected the EJB in a servlet - called an EJBs method in the war - all works fine. Then, I added @RolesAllowed with a role the authenticated user does not have, but the method is also successfully called. And EJBContext getCallerPrincipal returns "anonymous" (and not the authenticated principal) How can I propagate webapps principal/roles to EJB level? (I also tried to put @SecurityDomain(value = "form-auth") in the EJB - but nothing changed) Thanks -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/647847#647847] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]