In EJB 1.1., how do I ensure that while any client can access EJB A, only EJB A should be allowed to access EJB B? ie my client cannot access EJB B directly.
Alessandro A. Garbagnati (Keeping in mind that 1.1 version does not support run_as_mode)
Maybe this it's just a silly idea, but can't you just limit the access to EJB B inside the deployment descriptor, using the <method-permission> tag?
<method-permission> <role-name>guest</role-name> <method> <ejb-name>EJB_A</ejb-name> <method-name>*</method-name> </method> </method-permission> <method-permission> <role-name>administrators</role-name> <method> <ejb-name>EJB_B</ejb-name> <method-name>*</method-name> </method> </method-permission>This should not allow anyone without the administrator permissions to access to the EJB_B, and I think that you can set the context inside EJB_A to be in that security level.