From: <glassfish_at_javadesktop.org>
Date: Thu, 24 Apr 2008 08:11:00 PDT

kumar is correct about the policy checks.

also, you should be able to configure your ejb to require client authentication (even though there are no access constraints defined on the ejb methods).

you do this in the ior-security-config element in sun-ejb-jar.xml. make sure
<required>true</required> is present in the as-context element.
 
<ior-security-config>
                <transport-config>
                    <integrity>supported</integrity>
                    <confidentiality>supported</confidentiality>
                    <establish-trust-in-target>supported</establish-trust-in-target>
                    <establish-trust-in-client>supported</establish-trust-in-client>
                </transport-config>
                <as-context>
                    <auth-method>username_password</auth-method>
                    <realm>default</realm>
                    <required>true</required>
                </as-context>
            </ior-security-config>

Ron
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=271025