[jboss-dev-forums] [JBoss AS 7 Development] - @javax.annotation.security.RolesAllowed on EJBs does not work

[herb]

herb [https://community.jboss.org/people/herb] created the discussion

"@javax.annotation.security.RolesAllowed on EJBs does not work"

To view the discussion, visit: https://community.jboss.org/message/647847#647847

--------------------------------------------------------------
I don't know what I'm doing wrong - I need some help:

I like to use declarative role check on EJBs with @RolesAllowed

I've a simple war, with security enabled (I startet with following example  https://community.jboss.org/docs/DOC-17357 https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules).
Facelets, JSPs and servlets are protected, request.isUserInRole() works fine.

Then, I wrote an EJB (within the war) - injected the EJB in a servlet - called an EJBs method in the war - all works fine.
Then, I added @RolesAllowed with a role the authenticated user does not have, but the method is also successfully called.
And EJBContext getCallerPrincipal returns "anonymous" (and not the authenticated principal)

How can I propagate webapps principal/roles to EJB level?

(I also tried to put @SecurityDomain(value = "form-auth") in the EJB - but nothing changed)

Thanks
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/647847#647847]

Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2225]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120120/7d6f483b/attachment.html