Skip to main content

Having a problem with EJB3 security annotations - role mapping ignored

Please note these forums are being decommissioned and use the new and improved forums at
No replies
Joined: 2009-11-08

I have a very simple EJB application that uses security annotations with role mapping. The symptom of the problem is that @RolesAllowed is not working, and it appears the reason for this is that my role mappings are being ignored.

I've hunted for the source of this problem, but it persists. I have the feeling it must be something simple, but I can;t find it. I have a sneaking suspicion this is a deployment issue, but I can;t find the solution anywhere.

I've set up the file realm on my server with the users/groups I'm using. I've tried principal to role mapping and grou to role mapping, I've tried removing the role mapping entirely and filtering on group (vs. role) specifically. I've tried adding a glassfish-ejb-jar.xml descriptor file with the mappings. I've even pulled apart the security context and found that all the relevant information is in fact there and available, even though the session context seems to be strangely disconnected from this information - a call to isCallerInRole returns true for all values, even gibberish.

My glassfish-application.xml descriptor file and the bean code are attached.

This method:

public String saySomethingSecurely()
if (ctx.isCallerInRole("evangelists"))
return "Caller in evangelists: " + ctx.getCallerPrincipal().getName();

return "Secret message";

is entered regardless of the user being authenticated, and all users cause isCallerInRole to return true.

I'd think this would be pretty straight forward, but nothing I've done thus far has helped alleviate the problem.

Any insight into this would be much appreciated.

[Edit: I have replicated the following tutorial, and have attached the resulting project (

As far as I can tell, the project should be working, but doesn't. Everything appears to be where it should be and everything that needs to defined and activated are so. Again, it;s as if the role mapping is being completely ignored. Any suggestions for where I might look next would be much appreciated.

The users/groups used for this example are:


The sample code tests the @RolesAllowed, @PermitAll and @DenyAll annotations. The last call to the method to which @DenyAll is applied, correctly throws an exception. However, the first method call is restricted by @RolesAllowed to the bank_users group which is mapped to the USERS role name - all logins make it to this method. Nothing gets filtered, access isn;t restricted.

Security Manager is enabled for the app server (Glassfish v4) for the server-config Configuration. Both users have been defined in the file Ream.

What am I missing?]

EJBSecurity.zip110.78 KB