EJB 2.0 authorization of methods with no defined permissions

For EJB 2.0 components, if there are no roles associated with a method, then access is denied to everyone, which is different from EJB version 1.x. Keep this in mind when upgrading from EJB version 1.x to 2.0.

Usually a role reference is mapped to a J2EE role. However, sometimes the mapping to the J2EE role may be missing, either intentionally, or due to mappings or customization not being performed after you deploy a J2EE application. In some cases, the mapping of the J2EE role to the EAServer role is missing. The following describes the behavior of the server in such cases:

1. If a role reference to J2EE role mapping is located, then a mapping between the J2EE role and an EAServer role is searched. If the search fails, role checks are performed against the J2EE role directly. If the search succeeds, then role checks are performed against the EAServer role.

2. If the role reference to J2EE role mapping search fails, then a mapping between the role reference and an EAServer role is performed. If a match is found, role checks are performed against the EAServer role. Otherwise, role checks are performed against the role reference directly.

In some EAServer and application configurations, the role reference name, the J2EE role name, and EAServer role name may be the same. In such cases, even though the mappings have not been explicitly set by the deployer at run time the server uses the default behavior, and EAServer performs the role checks internally against the EAServer role. In some application environments, this may be the intended and desired behavior, while in other environments, this may be unintended.