would it help to add "role1" to the @RolesAllowed of EJB2?
If not: you could take a look at the @RunAs annotation (ejb spec 17.3.4):
Establishing a run-as identity for an enterprise bean does not affect the identities of its callers, which
are the identities tested for permission to access the methods of the enterprise bean. The run-as identity
establishes the identity the enterprise bean will use when it makes calls.
Thus, your bean would make all calls to ejb2 as the role specified by "@RunAs", but it's own methods would require "role1".
Hope this helps
Excellent, @RunAs suites my requirements perfectly.
Thank you very much.
It seems I spoke a bit hastily.
Although initial tests indicated that this should work, I can't get it to work. I think I misunderstood.
Here is my scenario:
Web tier calls EJB1 method which is protected. The user has the required role and all is well. EJB1 calls EJB2 which requires a different role. So I annotated EJB1 with @RunAs specifying the role required by EJB2.
Unfortunately @RunAs only allows 1 role. This is not sufficient if EJB1 calls various other EJBs protected with various roles. What I tried to do to get around this was create a role, not ever assigned to a user, for this purpose specifically.
@RunAs would always use this role and methods that are called from the Web tier AND the EJB tier gets this role added to its @RolesAllowed (in addition to the existing role required).
Sounded like a good idea at the time... except for that it does not work.
Even if the user has the original role required for the method call it fails. Which makes sense since the only role used to call the EJB is now the one specified with @RunAs, what I don't get is why is it not matching? I have the @RunAs role added to the @RolesAllowed?
This sounds strange. Did you try to assign this role to a user? Can you call your EJB methods with this user?
Could you post the relevant code snippets and the error message?
K, I am an idiot. Messed up the test. Our current project is required to run on both JBoss and Glassfish. It works as advertised on JBoss, Glassfish on the other hand ignores it like a traffic sign.
Thanks again for your help.
Nobody is perfect ;-).