Thanks for pointing me to the generated.policy
I noticed the difference in the file if I use @DeclareRole and when I don't. It causes the following line to be added to the grant statement:
permission javax.security.jacc.EJBRoleRefPermission "MenuService", "masterdata.organisation.read";
So @DeclareRoles or definition of roles in web.xml / ejb-jar.xml adds the roles to the generated policy, but @RolesAllowed does not effect your policy, but does somehow do a "temporary declare" with Default p2r mapping enable.
Am I correct in saying the above?
I do find it a bit weird that a isCallerInRole does not follow the same behaviour.
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]
http://forums.java.net/jive/thread.jspa?messageID=302905