I have a security domain declared in jboss.xml and the same sec domain declared in jboss-web.xml. I'm using the JBoss UsersRolesLoginModule for that domain.
When I access the context root for the protected .war I properly see my forms-based login challenge which properly rejects invalid username/passwds and properly accepts a username/passwd in users.properties. I then click on a link which hits things on the EJB side and get this exception:
13:45:12,143 INFO [STDOUT] Caused by: java.lang.SecurityException: Insufficient method permissions, principal=testUser, method=create, interface=HOME, requiredRoles=, principalRoles=[TestRole1, TestRole2]
You can see the JAAS authn worked and the principal is populated with the correct identity and has the required roles. These are the only two roles required anywhere in the application.
If the method is being protected and the error is insufficient permissions then why is requiredRoles empty? If the method has no required roles then why is it protected? Is the discrepancy between requiredRoles (empty) and principalRoles (the two required roles) causing the exception? In other words is the decision made on a direct inclusion set compare of the two? If this is the case then the problem is that the requiredRoles are not being properly established. If so how do I do that? If this is not the case then the exception is happening for another reason and I would appreciate a pointer to the light.
I figured it out. I needed to put a method-permission element in ejb-jar.xml which specifies the roles I want allowed access and all the beans used by the app.
This was not necessary for WLS.