Thats how I found my work around my application is a ejb 2.1 app that worked in 7.1.1 without these changes.
Are you saying the 7.1.1 was wrong and its now fixed, I have the security domain in my jboss-app.xml and did not need it in the jboss-ejb3.xml before. I'm happy to alter my app if this is seen as the correct way to do this.
peter craddock wrote:
Are you saying the 7.1.1 was wrong and its now fixed,
Yes. We fixed it as part of https://issues.jboss.org/browse/AS7-6476
To summarize, if a bean is secured (using any of the annotations or DD descriptor elements that correspond to security) then methods which do not have explicit permissions will have "deny all" semantics by default.