users@glassfish.java.net

Re: EJB 2 rolebased security on method level not working

From: <glassfish_at_javadesktop.org>
Date: Tue, 03 Feb 2009 02:14:22 PST

For method calls from methods within the same EJB, the role restrictions do not apply, since they are J2SE calls and do not involve the container (enterprise layer). So for your case, ideally the method readAddress should be given permissions for all user roles who would be invoking the methods using readAddress (i.e) readAddress should be given permissions for both roles - 'user' and 'Adress', since role 'user is allowed to access existAddress which in turn uses readAddress internally.

Hope this clarifies,
Nithya
[Message sent by forum member 'nitkal' (nitkal)]

http://forums.java.net/jive/thread.jspa?messageID=329807