The 2.0PFD seems incomplete/inconsistent with regard to security and
message driven beans. On the one hand it says that MDBs don't have
a security context and states that getCallerPrincipal() and isCallerInRole()
must not be called. Yet the security-identity element is an allowed element
in the message-driven element. Maybe I could see not requiring support
for these methods, but disallowing their use doesn't make sense.
The key security item that is missing the natural declarative security model
of specifying a message selector and the roles that are required for matching
messages.
These issues seem to break the current SecurityInterceptor functionallity. Any
insight on to why security is defined in this way?
