Hmmm, well, OK, doesUserHaveRole() and getUserRoles() aren't helping me out much... so I'm playing with EntityContext.isCallerInRole() instead - why not?... but it doesn't work either.
BTW, this is all running in an EJB.
When isCallerInRole() is called I get the following output to server.log:
2003-07-18 16:51:49,456 ERROR [org.jboss.ejb.plugins.LogInterceptor] RuntimeException:
java.lang.IllegalStateException: isCallerInRole() called with no security context. Check that a security-domain has been set for the application.
Can some really clever person tell my why doesUserHaveRole() and getUserRoles() seem to be handy methods for getting false and null respectively
how to set a security-domain for my application? Of course, I have set up an application-policy in login-conf.xml and all the access control and authentication are working just fine.
tell me I'm doing it all wrong and the right way to test if the caller is in a role is... whatever
You have to set a <security-domain> in the jboss.xml. Once that's in place the security manager prevents any access to EJB methods unless you explicitly allow access with <method-permission> in ejb-jar.xml. Then, anonymous users still can't get access because JBoss doesn't consider them to be real users so you have to set up a <login-module> using AnonLoginModule in your login.conf...