[jboss-user] [Security & JAAS/JBoss] - Does <method-permission> overwrite prevoius entry in ejb-jar

Hi I'm trying to restrict EJB method "add" in remote interface, and leave the same method in local interface accessible freely. I tried to use <method-intf> tag to distinguish interfaces. I have following entries: ... | <assembly-descriptor> | <security-role> | <description>Calculator guest</description> | <role-name>guest</role-name> | </security-role> | | <security-role> | <description>Calculator external role</description> | <role-name>externalUser</role-name> | </security-role> | | <method-permission> | <role-name>guest</role-name> | <method> | <ejb-name>CalculatorBean</ejb-name> | <method-intf>Home</method-intf> | <method-name>add</method-name> | </method> | </method-permission> | | <method-permission> | <role-name>externalUser</role-name> | <method> | <ejb-name>CalculatorBean</ejb-name> | <method-intf>Remote</method-intf> | <method-name>add</method-name> | </method> | </method-permission> | </assembly-descriptor> | ... During debugging I saw that only externaUser role is available for "add". It seems that previous <method-permission> is overwritten. My "guest" role is unknown. If I comment last entry, then the "guest" role is available. I'm invoking EJB via local interface, from another stateless EJB (packed in other jar file, but delivered in the same EAR). Caller is recognized as "guest" Do you know what is going on? Am I specifying permissions in incorrect way? Or did I miss something important? My login-config.xml is configured to accept "unauthenticatedIdentity" JBoss: 4.2.0 GA JDK: 1.6.0 u13 Thanks in advance! Darek View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4232186#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...