Further investigation has led me to have a look at the module's JACC policy file generated at deployment time. It is interesting in that it shows what the container deduces of the bean's permission and roles from the annotations. Mine has 4 grant blocks, one for each role (dev,admin,editor,viewer), plus a 5th grant block giving open permissions on those bean methods having no restrictions set on them. Now my open grant block has entries for some methods in my bean that are clearly annotated as restricted. Wierder still, is that I can't really seem to see any rhyme or reason as to the methods it erroneously leaves unrestricted and the ones it correctly leaves out of the open grant block.
So, what I see in the policy file matches the program's actual behavior, but it does not match the annotations. So it seems clear that the JACC provider is getting confused when it looks at my annotations.
My bean implements a remote and local interface, and the remote interface extends a 3rd business interface. As far as I can tell this is not uncommon, and I can't see any reason why it should cause confusion.
Anyways, any hints and suggestion would be welcome...
Ross
[Message sent by forum member 'rycohen2000' (rycohen2000)]
http://forums.java.net/jive/thread.jspa?messageID=271670