If I set up a security proxy for a bean, will this disable the role-method-permission checking defined in ejb-jar.xml, or are both checked in a way? If so, how?
If no, I would guess that proxy check when static check fails would give little performance benefit. I think clients should just be just stopped if the client program is hacked/url changed, and inaccessible functions should not be accessible from gui.
But the opposite could be useful, check security proxy only if role-check fails (ex. admin are let thru without any programmatically check), although I am not sure if this gains much performance benefits. It could simplify ease the code in security proxy, and it could be clearer, and easier to change the security preferences (example to add super admins to the list of roles).
I think the best would be that you could specify which of these two options you want in jboss.xml (or maybe just check if there are any security declarations in ejb-jar.xml.