> By any chance do you have any roleToSubjectMappings
> in sun-web.xml ?.
No, I don't have any declared there.
> From your desc it appears there isn't any. And is
> there a chance that
> he set-of roles in WAR and EJB-JAR are different ?.
I don't really understand this question. Why should they be the same?
In my WAR, I only restrict access very rudimentary by sth. like this in the web.xml:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description>all</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>_Guest_</role-name>
</auth-constraint>
</security-constraint>
While in my EJB methods, I might use the same role ("_Guest_") or others that are required. The servlet thus might get an exception when trying to execute a privileged EJB method, but that's fine (it might catch it and simply hide things that the user has no access to).
Best regards, Marco :-)
[Message sent by forum member 'nlmarco']
http://forums.java.net/jive/thread.jspa?messageID=475428