Hi All,
Now JBoss security is optional in the following sense:
if client doesn't set Principal, authentication is not performed.
I don't see good reasons for this strange rule.
Does anybody see?
I propose the following rules:
1) authentication is performed iff the security-manager is set for
the given bean.
2) it is allowed that security-manager is set, but
role-mapping-manager is not set (now this is not allowed).
In this case:
a) throw illegal access exception iff the set of roles for the given
method is non-empty,
b) isCallerInRole() always returns false
Any objections or comments?
Regards,
Oleg
