The behavior you see is correct based on our interpretation of the EJB spec. The SecurityException is treated as RuntimeException thrown by the business method and the session is discarded. If other servers treat this differently file a bug.
You cannot achieve the behavior you are looking for using a single stateful session bean accessed by a client. You would need to partition the work being done so that the restricted operation can be isolated from the session state you want to save on failure. You would need to add another stateless or stateful session bean for the restricted operation and catch and deal with the SecurityException thrown. xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2002 3:05 AM Subject: [JBoss-user] security method-permission > Hello, > > I asked this question on the list already but didn't get an answer, maybe > the description was not clear enough ? > > Now I reproduced the problem with the howto-sample from the jboss docs and > asked in the forum, but it's down now :( > Therefore I'll try here again: > > Remember the method permission set in the sample: > Users with role 'Coder' are allowed to call the methods create() and noop() > on StatefulSession but are not allowed to call method echo(). > > From the client point of view I would expect the following behavior: > call StatefulSession.create() => ok > call StatefulSession.noop() => ok > call StatefulSession.echo() => SecurityException > call StatefulSession.noop() => ok > > but what happens is > call StatefulSession.create() => ok > call StatefulSession.noop() => ok > call StatefulSession.echo() => SecurityException > call StatefulSession.noop() => TRANSACTION ROLLBACK EXCEPTION:Could not > activate; nested > exception is: java.io.FileNotFoundException: > D:\ProgramFiles\...\1010399848332.ser > > I'm afraid this is according to the spec and the container discards the bean > after a SecurityException, is that right ? > What do I have to do to get the expected behavior ? > Does the client have to check before calling the method echo() (That's not > what I would like to do) ? > I can't expect the client to recreate the bean after insufficient method > call, this may result in the loss of userchanges. > > Any ideas ? > Thanks in advance > Annegret _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user