I went through some issues with EJB3 and ZK.  I was using openejb at the time, integrated with tomcat 6. I found that my methods that had role restrictions (using @RolesAllowed) were not accessible.  Whenever I clicked a button, an event would be fired, but I would get an error of “Unauthorized Access by Principal Denied“, to that method, with a stack trace.

Here’s an example, where I have a method in an EJB that has a role restriction…

@RolesAllowed({"admin", "entryclerk"})
public void doSomething(String action)

Whenever the doSomething thread was called from an event, such as a button click event, it would fail with an error like the following.  Take note of the bold sections, indicating the error, and the fact that it is a ZK thread.

      Message : Unauthorized Access by Principal Denied
      Exception : javax.ejb.EJBAccessException
      Stack : javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
	at org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:706)
	at org.apache.openejb.core.stateful.StatefulContainer.businessMethod(StatefulContainer.java:479)
	at org.apache.openejb.core.stateful.StatefulContainer.invoke(StatefulContainer.java:277)
	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
	at org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
	at org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:281)
	at $Proxy47.isAuthenticated(Unknown Source)
	at com.example.main.SubmitButton.postTransaction(SubmitButton.java:65)
	at com.example.main.SubmitButton.onEvent(SubmitButton.java:186)
	at org.zkoss.zk.ui.impl.EventProcessor.process0(EventProcessor.java:197)
	at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:141)
	at org.zkoss.zk.ui.impl.EventProcessingThreadImpl.process0(EventProcessingThreadImpl.java:519)
	at org.zkoss.zk.ui.impl.EventProcessingThreadImpl.run(EventProcessingThreadImpl.java:446)

Threading is not allowed in EJB, and as a result, the user and role security was not propagated to the EJB calls I was making, as they calls were being made from within an entirely different thread than what was being managed by the EJB container.  The solution to this problem, is to disable ZK event threads.  ZK threads are enabled by default, but may be disabled in zk.xml, as follows.


Once the threads are disabled, the access denied errors disappear.