1 Reply Latest reply on May 14, 2009 7:02 AM by Wolfgang Knauf

    Exclude EJB from secuirty checks

    Fake Data Newbie

      I'm sure this has come up before but i can't seem to find any decent info on how to do it.

      Basically we use FORM authentication on our web app. All app pages require the user to be authenticated (except for the login page).

      However i now need to execute a method in an EJB without being authenticated (use case is for users that have forgotten their pass to be able to reset it from outside the app)

      What is the best way to do this? How do i exclude a method of an EJB (or even the entire EJB if needed) from the security checks?

      @PermitAll still requires an authenticated caller.
      I know i need to use the "unauthenticatedIdentity" option but i'm not sure how to use this to for only one EJB (ideally for a single method) while keeping the security of the rest intact.

      any help appreciated