Hi,

I have an EJB-based Web Service like this:

import javax.ejb.Stateless;

import javax.jws.WebMethod;

import javax.jws.WebParam;

import javax.jws.WebService;

import org.jboss.ejb3.annotation.SecurityDomain;

import org.jboss.ws.api.annotation.WebContext;

import javax.annotation.security.RolesAllowed;

@Stateless(name = "TestService")

@SecurityDomain(value = "WebServiceDatabaseAuth")

@WebContext(contextRoot = "/internal/MyDomain", urlPattern = "/TestService", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)

@WebService(serviceName = "TestService", targetNamespace = "urn:com:mytest:si")

@RolesAllowed( { "Role1","Role2" })

@TransactionAttribute(TransactionAttributeType.REQUIRED)

public class TestServiceBean

{

     @WebMethod

     @RolesAllowed( { "Role1" })

     public void testMethod()

     {

     }

}

I have two users:

- user1 who has role Role1 then he can access to the WSDL and the method.

- user2 who has role Role2 then he can access to the WSDL only.

If I call the wsdl (http://localhost:8080/internal/MyDomain/TestService?WSDL) with user1, I can access to the wsdl definition and call testMethod(). But if I call the wsdl with user2, I get a HTTP Status 403 - Access to the requested resource has been denied. I'm not able to get the wsdl definition if I use the user2 and I don't understand why? I'm migrating from JBoss 4.2.3 to 7.0.2 and I didn't have this problem before. I double checked my security subsystem configuration in my standalone.xml and every thing is ok. I think the authentication is good but the authorization doesn't seem to work correctly.

But, if I change @RolesAllowed of testMethod() to:

     @WebMethod

     @RolesAllowed( { "Role1", "Role2" })

     public void testMethod()

     {

     }

Then I can get the wsdl definition with user2.

Anybody have an explication

Thank you.