Ok - now I found out some interesting things:
The DAO object I want to protect extends another class.
- If I add some method name in the ejb-jar.xml file, the access to this method is restricted as expected. No matter if this method is defined in the DAO class itself or inherited from some base class.
- If I add the @RolesAllowed annotation to the DAO class, the access to every method (implemented and inherited ones) is restricted.
- If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!
I thought (and read in many books and articles) that @RolesAllowed on class level has the same meaning than using the * as method-name in the ejb-jar.xml, but obviously it has not. Is there something else I have to configure to get the desired behaviour (I don't want to use the annotations, but exclusively the xml-configuration)?