project_key: JBPAPP6 When "strict" is set in allRolesMode in server.xml Realm, then authentication roles can only be set using annotations @DeclareRoles and @RolesAllowed. The documentation on [1] says that this can be configured also using sun-ejb-jar.xml, we should have this option also in JBoss descriptors. STRICT_MODE Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name When using JAXWS EJB endpoints, this can be achieved using @DeclareRoles annotation, see: http://docs.oracle.com/javaee/5/tutorial/doc/bncav.html#bncaw
Link: Added: This issue is related to JBPAPP-8890
the original bug case
Link: Added: This issue depends LOGTOOL-48
Link: Removed: This issue depends LOGTOOL-48
Docs QE Status: Removed: NEW
This looks like it was fixed a while back, if there is a new issue, please open an upstream jira