I've got this exasperating issue:
1. In a bean named "CategoryFacade" I've two identically annotated session bean methods ([b]@RolesAllowed( { "admin", "developer" })[/b]). One method is an 'insert' method and the other an 'update'. There are no other annotations on the method, and there is no role annotation on the session bean as a whole
2. I access the bean from my stand-alone swing client, logging in as "auser" (role=='viewer')
3. I get an access violation for the 'save' method (expected), and none for the 'update' method (totally unexpected).
4. In the case of both methods the SessionContext confirms that the user has the expected 'viewer' role (and [i]only[/i] that role).
5. If I connect as an admin, I can call both methods with no access violation (as expected).
6. If I change the access on the update method to "@DenyAll", it has no effect - any user/role can still call it.
In short, it seems like the 'update' method's annotations are invisible to the security system. And this at the same time as identical annotations and roles work fine on other methods in the same session bean.
Any ideas on what could be causing this? - Or how to fix it?
Thanks,
Ross
[Message sent by forum member 'rycohen2000' (rycohen2000)]
http://forums.java.net/jive/thread.jspa?messageID=271561