Which two statement about EJBContext.isCallerInRole method are correct?
a: Message driven bean must not call the isCallerInRole method.
b: The isCallerInRole method may be called in a session bean constructor.
c: The isCallerInRole method can be called in any business method of a stateless or stateful bean.
d: The isCallerInRole method can be called in the PostConstruct and PreDestroy method of a stateless bean
Explanation: A and C are correct.
I think the answer is C .
According to p.149 of the spec, MessageDrivenContext.isCallerInRole can be called in business method/interceptor / timeout callback method.
Only the transactional methods the MessageDrivenContext inherits from EJBContext are available to message-driven beans. The home methods--getEJBHome() and getEJBLocalHome()--throw a RuntimeException if invoked, because MDBs do not have home interfaces or EJB home objects. The security methods--getCallerPrincipal() and isCallerInRole()--also throw a RuntimeException if invoked on a MessageDrivenContext. When an MDB services a JMS message there is no "caller," so there is no security context to be obtained from the caller. Remember that JMS is asynchronous and doesn't propagate the sender's security context to the receiver--that wouldn't make sense, since senders and receivers tend to operate in different environments.
I have to agree with Himai here. On page 149 of the specs, you can read that the security related methods (getCallerPrincipal, isCallerInRole) can be called from a business method of a MDB.
Apart from that table, you can see why they can be called over here (p 143)
5.4.13 Security Context of Message-Driven Bean Methods A caller principal may propagate into a message-driven bean’s message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.
The mentioned IllegalStateException must therefore come from the EJB2.x specs.