Currently openejb creates a policy context for each ejb, containing only those permissions relevant to that ejb. This appears to be contrary to the jacc spec:
On p.4 we see this definition:
Policy Context The collection of policy statements within a policy provider that affect access to the resources of one or more deployed modules.
section 3.1.1 also appears to indicate that a policy context corresponds to a j2ee module:
Each policy context contains all of the policy statements (as defined by this specification) that affect access to the resources in one or more deployed modules.
section 3.1.5, dealing with translation of the xml dd to permissions inside PolicyConfiguration objects, also looks to me as if the authors assume that there is one contextID for each ejb module. For instance 188.8.131.52 reads:
For each method element of each method-permission element, an EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object.
Our implementation is externally indistinguishable from the per-module implementation mandated by the spec: it will allow exactly the same access. It is also slightly marginally simpler at runtime although marginally more complicated at deploy time than the spec mandated structure.
Note that in general permissions for several modules cannot be put in a single policy context. Two web modules may have servlets at the same local url, differing only in context root, with different permissions, and two ejb modules may have identically named ejbs with different permissions. Such cases cannot include permissions from both modules in a single policy context.