Hi,
upon further investigation I found a work around to my situation; accordind to my domain rules any un-authenticated invoker will receive a "guest" identity (with
JBoss it's in the conf/login-config.xml file).
Thus, it was just a matter of creating an Interceptor that, with an injected SessionContext, validated that the principal's name is not equal to "guest".
See below my implementation
Bean class
@Stateless
@Interceptors(SecurityInterceptor.class)
public class SecurityBean implements SecurityRemote {
public void testSecurity() {
}
}
public class SecurityInterceptor {
@Resource SessionContext sessionContext;
@AroundInvoke
public Object securityCheck(InvocationContext ctx) throws Exception {
if (sessionContext.getCallerPrincipal().getName().equalsIgnoreCase("guest")) {
throw new SecurityException("No authenticated user provided");
}
return ctx.proceed();
}
}
Anyway, just wanted to share in case somebody finds himself/herself in this kind of situation.
Regards