Currently I have my security solution working fine using annotations and no descriptors. Obviously I have "Default Principal To Role Mapping" selected in the Glassfish Security Configuration.
I have annotated an EJB with the @RunAs("from.secured.context"). Which to my knowledge should cause this EJB to call any other EJB with this role. The method (on another EJB) being invoked from this EJB is annotated with @RolesAllowed("from.secured.context", "some.other.role") This works fine on JBoss and I can happely invoke the method with no security exceptions.
Unfortunately it does not seem to work for Glassfish. Every example that I found thus far mentions that a mapping is required in sun-ejb-jar.xml. I have tried this, but then I have to map all security roles for the system there and cannot take advantage of Default Principal To Role Mapping anymore.
Is there a way to get this working with out descriptors?
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]
http://forums.java.net/jive/thread.jspa?messageID=336856