[jboss-user] [Security & JAAS/JBoss] - Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar

Markus.Wahl do-not-reply at jboss.com
Wed Jul 19 06:29:03 EDT 2006

so this is what I tried:

*renaming the "other" application policy of file login-config.xml (residing in the AS conf dir) to "mine" (in order to make sure that the default security domain "other" does not kick in)

*editing jboss-app.xml:
  |   <security-domain>java:/jaas/other</security-domain>
  |   <loader-repository>name:app=ejb3</loader-repository>
  | </jboss-app>
*removing the @SecurityDomain annotation from my bean

when I try this, all the roles defined in web.xml are allowed acces to my jsp files (this was expected). but all users get acces to my ejb bean. I define two roles in web.xml, but only one of those roles are mentioned in my ejb bean using the @RolesAllowed annotation.

when I try with a user of the role not mentioned by @RolesAllowed while the "mine" security domain is not configured, all is fine: the user don't get to use the ejb bean.

so what am I missing? is the ejb layer security being set aside just because I use another name for my security domain? hardly; it must be that I have configured something amis. but what? do you know, cgriffith?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959078#3959078

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959078

More information about the jboss-user mailing list