Is there a way to prevent non authorized users to create an EJB ? I tried this on weblogic 5.1 and it does not seem to work. I must have done something wrong somewhere ..

What I am trying to do is allow users with "systemrole" have access to create EJB while users with "clientrole" cannot create. Both users may call doOperation() method.

Here is part of the deployment descriptor I used to define security access.

<security-role>
  <description>Client user role</description>
  <role-name>clientrole</role-name>
</security-role>
<security-role>
  <description>System user roles</description>
  <role-name>systemrole</role-name>
</security-role>

Here is where I define the nethod permissions :

<method-permission>
  <role-name>clientrole</role-name>
  <method>
    <ejb-name>FooBean</ejb-name>
    <method-name>doOperation</method-name>
  </method>
</method-permission>
<method-permission>
  <role-name>systemrole</role-name>
  <method>
    <ejb-name>FooBean</ejb-name>
    <method-name>create</method-name>
  </method>
  <method>
    <ejb-name>FooBean</ejb-name>
    <method-name>doOperation</method-name>
  </method>
</method-permission>

In weblogic-ejb-jar.xml , I have the following declared :

<security-role-assignment>
  <role-name>clientrole</role-name>
  <principal-name>clientuser</principal-name>
  <principal-name>systemuser</principal-name>
</security-role-assignment>
<security-role-assignment>
  <role-name>systemrole</role-name>
   <principal-name>systemuser</principal-name>
</security-role-assignment>

where within weblogic.properties file , I have :

weblogic.password.clientuser=clientpassword
weblogic.password.systemuser=systempassword
weblogic.security.group.systemrole=systemuser
weblogic.security.group.clientrole=clientuser,systemuser


Appreciate any help on what I got wrong , or is it not possible to prevent users from creating EJB ?

Thanks.
Kean