Hey, I basically have a bunch of roles which should each be mapped to different combinations of a user's "GroupPrincipals". Something like this:
<sec:role role-name="Lamp Room"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Lamp Room"/> </sec:role> <sec:role role-name="VDS User"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Lamp Room"/> </sec:role> <sec:role role-name="Personnel User"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Lamp Room"/> </sec:role> This means that named roles are all assigned to a user of group "Lamp Room". Though doing the following I don't see these "virtual roles", only the actual group. Subject subject = ContextManager.getCurrentCaller(); Set<Principal> principals = subject.getPrincipals(); I can see how this would be the case, though the following must definitely work: isCallerInRole("Personnel Admin") or EVEN isCallerInRole("Lamp Room"). They all return false. If I have a method annotated with @RolesAllowed({"Personnel User"}), then GeronimoSecurityService.isCallerAuthorized(Method method, InterfaceType typee) return TRUE. Though, GeronimoSecurityService.isCallerInRole(String role) returns FALSE when I query isCallerInRole("Personnel User"). I assume somewhere the AccessControlContext isn't populated correctly? I'm not really sure how this should work, so if someone can tell me how this all fits together I can have a look. Quintin Beukes