I'm trying to set up a security restriction on an EJB's methods, but I'm running into a couple of confusing problems.

The first problem is that my client is able to connect to the server and call the EJB methods freely, regardless of what kind of security I try to assign to the methods; for example:

<security-role>
<role-name>DataImporter</role-name>
</security-role>

<method-permission>
<role-name>DataImporter</role-name>

<ejb-name>DataServices</ejb-name>
<method-name>*</method-name>

</method-permission>

The second problem is that my client can connect to JBoss, get a reference to this EJB and call its methods without providing any authentication at all; or even if it provides completely bogus authentication:

Hashtable ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL, args[0]);
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
ht.put(Context.SECURITY_PRINCIPAL, "garbage");
ht.put(Context.SECURITY_CREDENTIALS, "moregarbage");

DataServicesHome home =
(DataServicesHome) (new InitialContext(ht)).lookup(DataServicesHome.JNDI_NAME);
dataServices = home.create();
dataServices.addOrUpdateCategory(null);

I don't understand why this code is allowed to even connect to JBoss at all, let alone execute a security-protected method. (It runs with no exception).

The third problem is that while I am aware that the role name I define in my ejb-jar.xml file is not the same as the role names defined in my roles.properties file, I have not found any information as to how to create an association between the two.

Thanks for your help.