Hi Nitkal - and thanks for clearifying the differens between J2SE and JEE calls.
I now know that I have to to protect each method with a call to isCallerInRole to prevent unwanted roles to access the code in the method and I know the reason.
To clearify your answer - I only want users with role Adress to be allowed to access the code so for me the solution is to add a restrictive call to isCallerInRole("Adress") and exit if it returns false - not open the method to the role User.
Thank's for your help !
Jan
[Message sent by forum member 'pliktverket' (pliktverket)]
http://forums.java.net/jive/thread.jspa?messageID=329835