[ https://issues.jboss.org/browse/AS7-5906?page=com.atlassian.jira.plugin.s... ] jaikiran pai commented on AS7-5906: ----------------------------------- Adding the details which Alessio, Stuart and I discussed in the AS meeting today. The problem we are trying to solve and which currently exists in the implementation of @WebService security backed by EJB endpoints is that the WS handlers (which apparently are similar to EJB interceptors) don't take into account the method level security roles/permissions assigned on the target method of the bean on which the invocation is happening. The WS handlers are apparently invoked in the web layer by CXF (and we don't have control to change that) before the invocation is passed on to the EJB layer where the actual bean methods (and EJB interceptors if any) are invoked. The EJB interceptors and the bean methods are checked for authorization appropriately by the EJB interceptors but since the WS handlers have already been run by CXF, they run outside of the authorization code. A possible solution we discussed was to allow the WebService integration layer in the AS7 code to expect a way to get hold of the security method associated with the EJB method being invoked, from the EJB3 subsystem, so that the WS layer can then use that metadata to run it past authorization checks before invoking the WS handlers via CXF. That'll allow the handlers to be checked for authorization before they get invoked. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira