I have the following jboss.xml in an ejb3 archive:
<jboss>
<security-domain>java:/jaas/foo</security-domain>
</jboss>
My understanding is, that all beans are bound to that domain "automatically" and that @RolesAllowed({"JBossAdmin"}) annotated methods throw a security exception, if the principal of the invoker is not in the role "JBossAdmin".
Unfortunately, this is not the case (I'm trying it with SSB). But when I annotate the bean class with @SecurityDomain("foo"), then everything works as expected, i.e. only principals in the role of JBossAdmin are able to execute the annotated method.
Question: Is this a bug? If not, what is wrong with my jboss.xml? Actually I thought, that one is even able to overwrite the hardcoded @SecurityDomain via jboss.xml.
Just for the records, my ear layout:
foo.ear
|-- META-INF
| `-- application.xml
|-- foo.ejb3
| |-- META-INF
| | |-- INDEX.LIST
| | |-- MANIFEST.MF
| | `-- jboss.xml
| `-- org
| `-- server
| `-- LoginTest.class
`-- foo.par
`-- META-INF
|-- INDEX.LIST
|-- MANIFEST.MF
`-- persistence.xml