Hi David, No the timer method is not exposed...
Thanks Christian On Thu, Oct 14, 2010 at 1:49 AM, David Blevins <[email protected]>wrote: > > On Sep 21, 2010, at 8:30 AM, Christian Bourque wrote: > > > I think there is a bug in OpenEJB (3.1.3-SNAPSHOT build=20100806-01:49) > when > > using the timer service with secured EJBs. > > > > My callback method (the one annotated with @Timeout) is never called by > the > > container unless I annotate it with @PermitAll... > > > > I don't think this is right, looking at the specification it says that > the > > callback method is internal to the container and so doesn't have any > > security context! > > We can probably make it work without the need for the @PermitAll. Had > thought we had accounted for this already, but apparently not. Ideally, > we'd: > > - ignore the security setting of the class wrt the timer method > - log a validation failure if the method was explicitly annotated with > @DenyAll or @RolesAllowed > > Not sure if we can validly do that second part. Might be too strict if the > timer method was also in the business interface -- discouraged for sure, but > I'd have to check if it was explicitly disallowed. > > Out of curiosity is your timer method also in your business interface? > > -David > >
