posted 21 years ago
Yes, I agree with Swamy.
Remember, getUserTransaction() is used to get the javax.transaction.UserTransaction object upon which you can call begin(), commit(), etc. -- for bean-managed transactions (BMT). So that means the only beans that can call this method are BMT session beans (both stateful and stateless) or BMT message-driven beans.
As for isCallerInRole(), remember that message-driven beans do NOT have a client! So there is no point trying to get security information about the client. So message-driven beans are *heavily* restricted in what they can ask of their MessageDrivenContext. They have no home and no EJB object, so they can't call any of those methods, and since they have no client, they can't call isCallerInRole() and getCallerPrincipal() to get security info about the client.
It is *true* that the Container calls the onMessage() method of the MDB, but we do NOT call the Container the 'client' to the MDB. The Container is the manager, not the client. And since a message is coming from a messaging service, and not directly from a client invocation on a business method, the security context of the client (the original message-sender) is not propogated into the onMessage() method. And the MDB has no reason to distrust the Container -- the actual caller of the method as far as the MDB is concerned.
cheers,
Kathy