IIRC @RolesAllowed applies an OR not an AND. So a user that has any (A or B)
would be authorized
On Wed, Aug 6, 2008 at 9:02 AM, <glassfish_at_javadesktop.org> wrote:
> Hi,
>
> I'm a little bit confused about the whole security mechanism in Glassfish.
> My application uses role based authorization. Let's assume I defined three
> roles ('A' 'B' and 'C') and one of my session beans is annotated with
> RolesAllowed({"A", "B"}) annotation - this means that a principal
> (application's user) must be granted roles A and B to invoke this bean's
> methods. It's all clear and simple. Problem is I need to run these methods
> from another session bean which may be invoked by anonymous user. As I
> understand this is what the RunAs annotation is for. So my question is why I
> can define only one role name in the RunAs annotation? And another question
> - is there any way to configure a session bean to behave as if it was called
> by a principal with two or more roles?
>
> Thanks,
> Olaf Tomczak
> [Message sent by forum member 'olafos' (olafos)]
>
> http://forums.java.net/jive/thread.jspa?messageID=291786
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>