OK, I'll refrase the question:
the secured JSP page calls the secured EJB. Both are inside the same EAR and both are secured in the same security domain. Both the security constraints allow access only to users with "role1" role.
JSP has this scriptlet:
right after it it calls EJB, that has this code in it's method:
the result: user with role1 granted gets access to both JSP and EJB. JSP outputs FALSE, while EJB outputs TRUE.
Both deployment descriptors have <security-role-ref> elements like this:
and both web.xml and ejb-jar.xml have correct corresponding <security-role> element for "role1".
Can anybody tell me, what's wrong with web container?
By the way, if I deploy only war (with EJB call removed) onto standalone Tomcat, configured to use same security realm, the JSP works fine - it outputs TRUE!
I just updated the howto and tried in on 4.0.1sp1 and it works as expected:
EJBServlet Accessed You have accessed this servlet as user: caller_java isUserInRole('Echo'): true The SecuredEJB.echo('Hello') returned: Hello
Browse the release notes for fixes on caller role behavior.