Hi all.
I have some questions about
EJB security.
1. my
servlet is using <run-as> security, this servlet uses an EJB which also defined <run-as> element.
now, when the user is authenticated by the servlet, the role that has been added to the user, will be passed to the EJB to check if he has the authorization. right ?
2. should I specify <method-permission> if I am using <run-as> in both the servlet & EJB ?
3. when we use <use-caller-identity> element for an EJB, what does this mean ?
how an EJB could know the role of the user ?
how the user could supply his role ?
thanks.