Description of problem: I have an EJB session bean which I restrict access to using @RolesAllowed at the class level. @Stateless @DeclareRoles("READ_G") @RolesAllowed({"READ_G"}) public class MySession extends AnotherStatelessSession implements MyRemote { This does seem to restrict access correctly to the methods defined within the sub class. Any methods that are defined in the base class though are not secured using the roles defined within the tag. This should not be the case as the spec states that when defining the RolesAllowed on a class, all members of that class will inherit the restriction, unless overriden by another method level annotation.
Closing as the upstream issue has been rejected. Stuart Douglas wrote: It is basically the whole section. Basically class level annotations only apply to methods defined by the class, not to methods defined by the super class. The term 'all applicable business methods of the class' just means the methods that are declared on the class itself, not on any superclass. This applies to pretty much all EJB annotations, and is tested by the TCK.