[jboss-user] [Security & JAAS/JBoss] - SecurityDomain annotation required when called from JMX cons

Playing around with roles and my ejb and added the @RolesAllowed("SYSTEM") annotation. I created my own realms as follows: | <application-policy name="MyModule"> | <authentication> | | <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient"> | <module-option name="dsJndiName">java:/MyDS</module-option> | <module-option name="principalsQuery">SELECT account.password FROM ACCOUNTS account, PRINCIPALS principal WHERE principal.name=? and account.id = principal.id</module-option> | | <module-option name="rolesQuery">SELECT entry.role, 'Roles' FROM ROLE_ENTRY entry, PRINCIPALS account WHERE entry.principal = account.id and account.name=?</module-option> | </login-module> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient"> | <module-option name="usersProperties">props/my-users.properties</module-option> | <module-option name="rolesProperties">props/my-roles.properties</module-option> | </login-module> | | <!-- Client Login module so that the security context can be set for invoking EJBs --> | <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> | <module-option name="restore-login-identity">true</module-option> | </login-module> | | </authentication> | </application-policy> | | The ejb is called from the JMX Service using by doing a local jndi lookup and calling the method. For JMX I only get this to work when I also add the @SecurityDomain("MyDomain") annotation to the bean. When I do not do that, it used the jmx-console realm, but even when I copy/past the above into that realm, the jmx-console is allowed to call the method. When I look at the security trace, I see that the SYSTEM role is not part of the credentials (as I was expecting) but the call gets executed anyways. Do I have to muck around in the tomcat configuration somewhere ? Output: | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[system(ADMIN,JBossAdmin,)] | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: JBossAdmin | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[system(ADMIN,JBossAdmin,)] | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: system | Principal: Roles(members:ADMIN,JBossAdmin) | , sc=org.jboss.security.SecurityAssociation$SubjectContext@186e848{principal=system,subject=30019131} | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null | 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1fc0932{principal=system,subject=null} | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1bfdaa4{principal=system,subject=null} | 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system | | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4054148#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...