Thank you for your help, obviously I misunderstood quit a bit.
This means my model is wrong as well. How would this be modelled correctly?
Surely it is not uncommon for an EJB method that is called from the web tier also be called from another EJB. When it is called from the web tier it needs to be protected, but when it is called from another EJB it does not have to be as the calling EJB requires the information and does not expose it.
1. Exposing additional unprotected methods will just become a mess.
2. Doing a login every time would be expensive and not very portable.
3. Should the remote interface be annotated and not the local interface, then using it accordingly?
4. Should every method be annotated with the roles that might call it, even if not directly called. This can become a nightmare to maintain.
5. Am I missing an obvious solution?
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]
http://forums.java.net/jive/thread.jspa?messageID=332227