On Sep 21, 2010, at 8:30 AM, Christian Bourque wrote: > I think there is a bug in OpenEJB (3.1.3-SNAPSHOT build=20100806-01:49) when > using the timer service with secured EJBs. > > My callback method (the one annotated with @Timeout) is never called by the > container unless I annotate it with @PermitAll... > > I don't think this is right, looking at the specification it says that the > callback method is internal to the container and so doesn't have any > security context!
We can probably make it work without the need for the @PermitAll. Had thought we had accounted for this already, but apparently not. Ideally, we'd: - ignore the security setting of the class wrt the timer method - log a validation failure if the method was explicitly annotated with @DenyAll or @RolesAllowed Not sure if we can validly do that second part. Might be too strict if the timer method was also in the business interface -- discouraged for sure, but I'd have to check if it was explicitly disallowed. Out of curiosity is your timer method also in your business interface? -David
