Did you ever find a solution to this problem? I have exactly the same problem with 3.2.
The only hack/workaround is to have an adapter layer between my clients that log into JAAS with the JBoss client-adapter. I shouldn't have to perform a login for unchecked method permissions!
I'm also interested in the topic. All my attempts to have unchecked methods seem to fail.
Another related issue is that I wanted to query the DB through an (unchecked) EJB to get the username/password info, but that results in an infinite loop, because the security interceptor is calling my Login handler even for this unchecked method.
Any info is appraciated. Thanks,
I found the reason for that. The "unchecked" flag relates to authorization, not authentication. In other words, any authenticated user, regardless of role, may execute it, but non-authenticated users can't. I, personally, think that is just silly -- a gross oversight -- but that is what all the docs seem to imply. Check the dtd at http://java.sun.com/dtd/ejb-jar_2_0.dtd:
The method-permission element consists of an optional description, a list of security role names or an indicator to state that the method is unchecked for authorization, and a list of method elements.
Note the use of the word authorization, rather than authentication.
see unauthenticatedIdentity property in the JBoss security docs, I think that's what you're looking for