This section is under construction, please check back later.

There’s a few things that should be noted about security from the server side perspective.

Security Propagation Note, this is partially documented in the EJB 3

spec section

  1. Once a remote bean has been instantiated, from within the container, it inherits the entire security context, and all roles will be inherited the same as the method where the bean is being looked up.

  2. Looking up a bean via an InitialContext, or via injection, will inherit the security context (user, roles, etc), thereby propagating the security through to any container bean in the chain of method calls.

  3. No properties are allowed for the InitialContext, and you MUST be calling the no args constructor only. There are documents elsewhere that describe using the OpenEJB initial context factories and such, with usernames and passwords, etc; it should be noted that this method of using the factories is OpenEJB specific, to facilitate non-standard clients not running in an EJB container, etc.

For example, here is an EJB that returns another bean, through a remote method call. In this case, the OtherBean instance, will have the same security as MyBean, including the principal (username), roles, etc.

import javax.ejb.EJB;
import javax.naming.InitialContext;

@EJB(name = "otherBean", beanInterface = IOtherBean.class)
public class MyBean
    public IOtherBean getOtherBean()
    InitialContext context = new InitialContext();
    return (IOtherBean) context.lookup("java:comp/env/otherBean");