> With these requirements I would probably create a new role and map it
> accordingly (avoiding the programmatic security at all costs).
Does this mean I have to create a new role - let's say 'A_AND_B' and allow this role to invoke my method or is it possible to configure it somehow in descriptor files (using security-role-mapping maybe?). Do you know if there's any serious reason why you can't use combinations of roles in RunAs annotation? To me it seems pretty limiting...
[Message sent by forum member 'olafos' (olafos)]
http://forums.java.net/jive/thread.jspa?messageID=291812