if you know the names of all the roles that are defined for your app, then you can try calling isCallerInRole with each role name. you really need to know the role-refs, but in the most recent versions of ejb, role-ref values are more likely to be equivalent to the names of the corresponding riles)
If you don't know all the role names/refs, you could try something like the following
when an ejb containr is running with a security manager enabled, it is required to set the caller's credentials in the accesscontrolcontext bound to the invocation thread. When running with the securitymanager disabled, you would have to use internal glassfish api's to get the subject corresponding to the caller.
DomainCombiner dC = AccessController.getContext().getDomainCombiner();
Subject s = (SubjectDomainCombiner) dC.getSubject();
given that you can get the subject corresponding to the caller, you can use the principals from the subject to create a protection domain (the codeSource value is irrelevant)
then you can use the Policy subsystem to determine all the EjbRoleReferencePermissions granted to the call.
you can interrogate the policy subsystem from your app, to determine the permitted roles.
Policy policy = Policy.getPolicy();
PermissionCollection pC = policy.getPermissions(protectionDomain);
Enumeration<permission> perms = pc.elements();
then enumerate over perms finding all the permissions of type EJBRoleRefPermission, and with name (as returned by perm.getName() equal to the name of the ejb. the value returned by calling perm.getActions() will be the name of the role-ref (which is not exactly the same thing as the role-name, but represents a value for which isCallerInRole will return true.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=276330