[jboss-jira] [JBoss JIRA] (AS7-3422) @RolesAllowed @DenyAll on EJBs does not work

@RolesAllowed @DenyAll on EJBs does not work -------------------------------------------- Key: AS7-3422 URL: https://issues.jboss.org/browse/AS7-3422 Project: Application Server 7 Issue Type: Bug Components: EJB Affects Versions: 7.1.0.CR1b Reporter: Gernot P Assignee: jaikiran pai I've a war within EJBs. Annotating an EJB method with @RolesAllowed or @DenyAll does not work as expected - method is executed even if the roles does not match. I also added @SecurityDomain annotation, which did not change the behaviour. EJBContext getCallerPrincipal() returns the correct (authenticated) principal, and isCallerInRole() works fine, but not @RolesAllowed jboss-web.xml: <jboss-web><security-domain>formauth</security-domain></jboss-web> Here's the security-domain part of standalone.xml, which is referenced in the war: <security-domain name="formauth" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="defaultUsers.properties"/> <module-option name="rolesProperties" value="defaultRoles.properties"/> </login-module> </authentication> </security-domain> At https://community.jboss.org/message/648047 is a sample war which reproduces the defect