OK, so I found JBoss AS7: Security : EJB3 Security which seems to partially answer the question.

Adding a security-domain element to a jboss-web.xml file (I'm deploying the test as a WebArchive) doesn't seem to make any difference though.

jaikiran pai wrote:

 

...

 

What does the ShrinkWrap code look like?

WebArchive: test.war:
/WEB-INF/
/WEB-INF/jboss-web.xml
/WEB-INF/web.xml
/WEB-INF/classes/
/WEB-INF/classes/users.properties
/WEB-INF/classes/org/
/WEB-INF/classes/org/jboss/
/WEB-INF/classes/org/jboss/arquillian/
/WEB-INF/classes/org/jboss/arquillian/secureejb/
/WEB-INF/classes/org/jboss/arquillian/secureejb/JBossLoginContextFactory$JBossJaasConfiguration.class
/WEB-INF/classes/org/jboss/arquillian/secureejb/demo/
/WEB-INF/classes/org/jboss/arquillian/secureejb/demo/SecureSessionBean.class
/WEB-INF/classes/org/jboss/arquillian/secureejb/JBossLoginContextFactory$NamePasswordCallbackHandler.class
/WEB-INF/classes/org/jboss/arquillian/secureejb/JBossLoginContextFactory.class
/WEB-INF/classes/roles.properties

I suspect that this has something to do with the fact that I'm doing a JAAS login.

I thought of trying that but I didn't think an EJB jar could be placed in WEB-INF/lib.

I'll try it right now

Doing this has the same result.

Demo attached FYI

Stephen Coy wrote:

 

I thought of trying that but I didn't think an EJB jar could be placed in WEB-INF/lib.

§20.2 of the EJB 3.1 spec says:

In a .war file, the deployment descriptor is stored with the name WEB-INF/ejb-jar.xml or the name META-INF/ejb-jar.xml in a .jar file within WEB-INF/lib.

so it should work fine.

It does beg the question as to whether or not jboss-ejb3.xml can also be placed in the WEB-INF directory, but that's wandering off topic.

That did not help I'm afraid.

Right now I'm wondering if the jboss-ejb3.xml is even being parsed. I put some junk in it but there were no deployment errors.

I have debugged this to some extent.

Deployment descriptors in WEB-INF/lib jars are not processed at all. That would be a bug. Presumably ejb-jars should be detected here and processed as subdeployments, but they are not.

However, jboss-ejb3.xml is parsed when it is present in the WEB-INF directory which answers the question above.

Unfortunately the parser seems to know nothing about the urn:security namespace and barfs on that xml.

In fact {color:blue}org.jboss.metadata.ejb.parser.jboss.ejb3.Namespace{color} is only aware of the http://www.jboss.com/xml/ns/javaee and http://java.sun.com/xml/ns/javaee namespaces, so I think this is another bug.

Adding the assembly descriptor worked when the jboss-ejb3.xml is in WEB-INF/lib.

I suspect that

Deployment descriptors in WEB-INF/lib jars are not processed at all. That would be a bug. Presumably ejb-jars should be detected here and processed as subdeployments, but they are not

may still be an (off topic) problem.

Thanks for your time guys.

jaikiran pai wrote:

 

Ah right, I missed that assembly-descriptor part!

 

I'll come back to this later this week, because I think this misconfigured jboss-ejb3.xml should have thrown an error.

It did throw an error when placed in the WEB-INF directory. I did mention it:

Stephen Coy wrote:

 

Unfortunately the parser seems to know nothing about the urn:security namespace and barfs on that xml.

Deployment descriptors in WEB-INF/lib jars do not seem to get parsed at all however.