You must set a security-domain in jboss.xml to activate security.
You can find a detailed description how to setup security in the article
Thanks for the response, Annegret! We have the security-domain set and are still seeing the problem. Let me see if I can clarify a little further.
If we leave a few one of the two method-permissions out accesss is denied to these beans, as expected. However, with both method-permissions in the ejb-jar.xml. Access is allowed to all the beans by users in either role. This is where the problem lies. It appears JBoss is allowing not differentiate between the access one role should have versus the other. I checked that the proper roles were assigned in the bean and only one is set so they should not have access to the beans in which they do not have any permissions assigned, but as of now they do.
Which version of jboss are You using ?
We use jboss 2.4.3 and have method-permissions set:
an admin-role has access to all beans
a standard-role has full access to some beans, no access to a few other beans and access to special methods of a third group of beans
This works fine for us.
I can't see any error in Your configuration.
Pure speculation and this should not influence anything but did You try to put the method-permission of role FNS above the method-permission of role default to have the same order as the secruity-roles itself are listed ?
Again thanks Annegret for the suggestion. I tried it same results. Access to all my methods. Anybody else have any suggestions?