>
> I noted that groups and roles need to me mapped to one another.
> My problem was that I _did_ map them to one another, only not in
> sun-application.xml, but in sun-ejb-jar.xml.
That's ok for a standalone ejb module, but currently in an application
ear only the top level sun-application.xml file mapping is read. We are
working to enable the mappings in submodules to be read, but have to
work out conflict resolution between them (which is why it's simpler to
just use the top-level file). The issue is:
https://glassfish.dev.java.net/issues/show_bug.cgi?id=2475
>
> Are you sure default principal-to-role mapping will do?
It's supposed to. ;) My understanding is that enabling the default
mapping allows you to not specify your own, and will work when the
group/principal names match the role names. The default mapping has to
be turned on at deployment time, which is when the mappings are
generated, but I think you know that part already from what I see here.
> What you still could share with me is: why are there security-role-mapping elements
> in sun-ejb-jar.xml, if they do not work? What are they used for?
They're used in the case of standalone ejb modules, but I'm hoping to
make it work so that a mapping in any application submodule will be read.
Cheers,
Bobby