This is very helpful -- it probably explains a lot of weirdness I was
seeing while trying to implements security, but it's not exactly what's
happening. I've got two methods on my class, one of which I want to allow
to be executed, one of which I want to block.
However, even though I only explicitly allow one to be executed, the user
has access to both. There doesn't seem to be a way to explicitly block
access in the J2EE deployment descriptors, and the default from Orion seems
to be to allow access. This appears to me to violate the spec, so I can't
imagine it's the actual behavior. I'm just having trouble find out what I'm
doing wrong.
-- Chris
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
> Subject: RE: Security issues. (Ugh).
>
> See bug 193 in bugzilla. If you change the way you define the multiple
> roles, it will work. There are apparently two ways sanctioned by
> j2ee spec,
> but only one way works in orion. I was looking at this bug yesterday in
> preparation for doing exactly what you are trying to do.
>
