1. because @SecurityDomain is jboss specific, is there a way to remove it from class code and keep just the standard @RolesAllowed?
i tried to remove it from source code and have in jboss.xml <security-domain>mobistax</security-domain> after this, i dont get any security on bean methods. 2. why is authentication-authorization required for method s with @PermitAll??? there are methods called even before users and roles are created. one work around is moving these methods to a class with no @SecurityDomain tag. this is bad if you want to keep logical grouping of methods in classes the other work around is to have a dummy role for these methods and pass a dummy username and password. but this unnecessary code. in my opinion, this is a bug. @PermitAll methods should not need any security credentials associated with thread. No authentication and authorization shoud be done. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956109#3956109 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3956109 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user