Playing around with roles and my ejb and added the @RolesAllowed("SYSTEM") annotation. I created my own realms as follows:

 <application-policy name="MyModule">
 <authentication>

 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
 <module-option name="dsJndiName">java:/MyDS</module-option>
 <module-option name="principalsQuery">SELECT account.password FROM ACCOUNTS account, PRINCIPALS principal WHERE principal.name=? and account.id = principal.id</module-option>

 <module-option name="rolesQuery">SELECT entry.role, 'Roles' FROM ROLE_ENTRY entry, PRINCIPALS account WHERE entry.principal = account.id and account.name=?</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">
 <module-option name="usersProperties">props/my-users.properties</module-option>
 <module-option name="rolesProperties">props/my-roles.properties</module-option>
 </login-module>

 <!-- Client Login module so that the security context can be set for invoking EJBs -->
 <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
 <module-option name="restore-login-identity">true</module-option>
 </login-module>

 </authentication>
 </application-policy>

The ejb is called from the JMX Service using by doing a local jndi lookup and calling the method. For JMX I only get this to work when I also add the @SecurityDomain("MyDomain") annotation to the bean.

When I do not do that, it used the jmx-console realm, but even when I copy/past the above into that realm, the jmx-console is allowed to call the method. When I look at the security trace, I see that the SYSTEM role is not part of the credentials (as I was expecting) but the call gets executed anyways. Do I have to muck around in the tomcat configuration somewhere ?

Output:

2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[system(ADMIN,JBossAdmin,)]
2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: JBossAdmin
2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[system(ADMIN,JBossAdmin,)]
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
 Principal: system
 Principal: Roles(members:ADMIN,JBossAdmin)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@186e848{principal=system,subject=30019131}
2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1fc0932{principal=system,subject=null}
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1bfdaa4{principal=system,subject=null}
2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system