[jboss-user] [EJB 3.0] - security declarations in ejb-jar.xml ignored?

Daniel Lechner do-not-reply at jboss.com
Fri May 7 03:52:05 EDT 2010

Daniel Lechner [http://community.jboss.org/people/daniell] replied to the discussion

"security declarations in ejb-jar.xml ignored?"

To view the discussion, visit: http://community.jboss.org/message/541742#541742

Ok - now I found out some interesting things:
The DAO object I want to protect extends another class.

1. If I add some method name in the ejb-jar.xml file, the access to this method is restricted as expected. No matter if this method is defined in the DAO class itself or inherited from some base class.
2. If I add the @RolesAllowed annotation to the DAO class, the access to every method (implemented and inherited ones) is restricted. 
3. If I try to restrict the access by writing a * as method-name in the ejb-jar.xml file, only methods which are declared in the DAO class are taken into consideration. Methods from any base class can be accessed without restritcions!

I thought (and read in many books and articles) that @RolesAllowed on class level has the same meaning than using the * as method-name in the ejb-jar.xml, but obviously it has not. Is there something else I have to configure to get the desired behaviour (I don't want to use the annotations, but exclusively the xml-configuration)?


Reply to this message by going to Community

Start a new discussion in EJB 3.0 at Community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100507/3f563a15/attachment-0001.html 

More information about the jboss-user mailing list