The EJB specification and the Javadoc for EJBContext both say that its
isCallerInRole() method is permitted to throw an IllegalStateException if
the caller is not allowed to call the method. The context surrounding these
statements implies this is to ward off calling this method when you're not
in a security context, and that makes sense.
Glassfish's implementation also throws an IllegalStateException when you
call this method in a valid context, but if you pass it a role name that the
application doesn't know about. So if I say:
ejbContext.isCallerInRole("foobar");
...and have never done a @DeclareRoles({ "foobar" }) or the deployment
descriptor equivalent, this call will not return false, but will throw an
IllegalStateException.
This seems wrong to me. I suppose strictly speaking it's OK--indeed, I'm
not supposed to call this method with a String that is not a valid role
name, but...would it kill this method to simply return false? Can anyone
comment?
Thanks,
Laird