You cannot use wild cards in ejb-jar.xml for declarative security. Option 1) However, you can install a security interceptor with your application that can check these roles. The interceptor gets called before the ejb and you can handle all checking there. The interceptor gets access to the principal, roles, ejb and the ejb method that is being invoked. This is enough info for you to program fine grained security
Option 2) Another way would be to check the users roles in ejb interface methods and not proceed if the user has insufficient roles (throw security exception). However, this logic needs to be impl'ed in every method. Advantage/Disadvantage 1) Option 1 is clean and simple and your ejb code is not aware of security logic 2) Option 1 is jboss specific and you will have trouble migrating to other app servers that dont allow this flexibility (remember jboss is very very flexible and allows you to do lot more customization than other servers) 3) Option 2 should work on any app server!! What shud you choose Choose option (2) if you need portability or choose (1) otherwise View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899759#3899759 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899759 ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user