Access permission rewrite on beans!

Tuomas Riihimäki
Commit 49b8d99e authored Apr 02, 2011 by Tuomas Riihimäki
Showing with 417 additions and 513 deletions
code/LanBortalBeans/.classpath
code/LanBortalBeans/ejbModule/META-INF/sun-ejb-jar.xml
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccountEventBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/CardTemplateBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventMapBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventOrganiserBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/FoodWaveBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/GameBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/JaasBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceGroupBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PollBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ProductBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ReaderBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/SecurityBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
--- a/code/LanBortalBeans/.classpath
+++ b/code/LanBortalBeans/.classpath
@@ -13,5 +13,6 @@
 	</classpathentry>
 	<classpathentry kind="con" path="org.eclipse.jst.j2ee.internal.module.container"/>
 	<classpathentry kind="src" path="/LanBortalUtilities"/>
+	<classpathentry kind="src" path="/UtilClasses"/>
 	<classpathentry kind="output" path="build/classes"/>
 </classpath>
--- a/code/LanBortalBeans/ejbModule/META-INF/sun-ejb-jar.xml
+++ b/code/LanBortalBeans/ejbModule/META-INF/sun-ejb-jar.xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
 <sun-ejb-jar>
+	<security-role-mapping>
+		<role-name>ANONYMOUS</role-name>
+		<group-name>ANONYMOUS</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ORGANIZATION_ROOT</role-name>
+		<group-name>ORGANIZATION_ROOT</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>SUPERADMIN</role-name>
+		<group-name>SUPERADMIN</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ADMIN_BASE</role-name>
+		<group-name>ADMIN_BASE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>USER_BASE</role-name>
+		<group-name>USER_BASE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>LOGIN/READ</role-name>
+		<group-name>LOGIN/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>LOGIN/WRITE</role-name>
+		<group-name>LOGIN/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>LOGIN/EXECUTE</role-name>
+		<group-name>LOGIN/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>USER_MANAGEMENT/READ</role-name>
+		<group-name>USER_MANAGEMENT/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>USER_MANAGEMENT/WRITE</role-name>
+		<group-name>USER_MANAGEMENT/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>USER_MANAGEMENT/EXECUTE</role-name>
+		<group-name>USER_MANAGEMENT/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ACCOUNT_MANAGEMENT/READ</role-name>
+		<group-name>ACCOUNT_MANAGEMENT/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ACCOUNT_MANAGEMENT/WRITE</role-name>
+		<group-name>ACCOUNT_MANAGEMENT/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ACCOUNT_MANAGEMENT/EXECUTE</role-name>
+		<group-name>ACCOUNT_MANAGEMENT/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>BILL/READ</role-name>
+		<group-name>BILL/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>BILL/WRITE</role-name>
+		<group-name>BILL/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>BILL/EXECUTE</role-name>
+		<group-name>BILL/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>MAP/READ</role-name>
+		<group-name>MAP/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>MAP/WRITE</role-name>
+		<group-name>MAP/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>MAP/EXECUTE</role-name>
+		<group-name>MAP/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ROLE_MANAGEMENT/READ</role-name>
+		<group-name>ROLE_MANAGEMENT/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ROLE_MANAGEMENT/WRITE</role-name>
+		<group-name>ROLE_MANAGEMENT/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>ROLE_MANAGEMENT/EXECUTE</role-name>
+		<group-name>ROLE_MANAGEMENT/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>PRODUCT/READ</role-name>
+		<group-name>PRODUCT/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>PRODUCT/WRITE</role-name>
+		<group-name>PRODUCT/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>PRODUCT/EXECUTE</role-name>
+		<group-name>PRODUCT/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>SHOP/READ</role-name>
+		<group-name>SHOP/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>SHOP/WRITE</role-name>
+		<group-name>SHOP/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>SHOP/EXECUTE</role-name>
+		<group-name>SHOP/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>GAME/READ</role-name>
+		<group-name>GAME/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>GAME/WRITE</role-name>
+		<group-name>GAME/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>GAME/EXECUTE</role-name>
+		<group-name>GAME/EXECUTE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>POLL/READ</role-name>
+		<group-name>POLL/READ</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>POLL/WRITE</role-name>
+		<group-name>POLL/WRITE</group-name>
+	</security-role-mapping>
+	<security-role-mapping>
+		<role-name>POLL/EXECUTE</role-name>
+		<group-name>POLL/EXECUTE</group-name>
+	</security-role-mapping>
  <enterprise-beans/>
 </sun-ejb-jar>
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccountEventBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccountEventBean.java
@@ -7,19 +7,18 @@ import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.AccountEventFacade;
 import fi.insomnia.bortal.model.AccountEvent;
 import fi.insomnia.bortal.model.EventPk;
 import fi.insomnia.bortal.model.LanEvent;
-import fi.insomnia.bortal.model.Place;
 import fi.insomnia.bortal.model.Product;
 import fi.insomnia.bortal.model.Role;
 import fi.insomnia.bortal.model.User;
@@ -28,6 +27,7 @@ import fi.insomnia.bortal.model.User;
 * Session Bean implementation class AccountEventBean
 */
 @Stateless
+@DeclareRoles({ "ACCOUNT_MANAGEMENT/READ", "ACCOUNT_MANAGEMENT/WRITE", "SHOP/EXECUTE" })
 public class AccountEventBean implements AccountEventBeanLocal {
 	@EJB
@@ -36,13 +36,15 @@ public class AccountEventBean implements AccountEventBeanLocal {
 	@EJB
 	private UserBeanLocal userbean;
 	@EJB
-    private SecurityBeanLocal sessionbean;
+	private LoggingBeanLocal loggingbean;
 	@EJB
 	private EventBeanLocal eventBean;
 	@EJB
 	private ProductBeanLocal prodbean;
 	@EJB
 	private PlaceBeanLocal placebean;
+	@EJB
+	private PermissionBeanLocal permbean;
 	private static final Logger logger = LoggerFactory.getLogger(AccountEventBean.class);
@@ -51,17 +53,17 @@ public class AccountEventBean implements AccountEventBeanLocal {
 	}
 	@Override
+	@RolesAllowed("ACCOUNT_MANAGEMENT/WRITE")
 	public AccountEvent merge(AccountEvent account) {
-        userbean.fatalPermission(Permission.ACCOUNT_MANAGEMENT, RolePermission.WRITE, "Error mergin account event", account);
 		return accountfacade.merge(account);
 	}
 	@Override
+	@RolesAllowed("ACCOUNT_MANAGEMENT/WRITE")
 	public void delete(AccountEvent account) {
-        userbean.fatalPermission(Permission.ACCOUNT_MANAGEMENT, RolePermission.WRITE, "Error deleting account event: ", account);
 		AccountEvent acco = accountfacade.find(account.getId());
-        sessionbean.logMessage(SecurityLogType.accountEvent, userbean.getCurrentUser(), "Deleting AccountEvent '", acco.getProduct().getName(), "' count: '", acco.getQuantity().toString(), "' unitprice: '", acco.getUnitPrice().toString(), "' accouser: '", acco.getUser().getLogin(), "'");
+		loggingbean.logMessage(SecurityLogType.accountEvent, permbean.getCurrentUser(), "Deleting AccountEvent '", acco.getProduct().getName(), "' count: '", acco.getQuantity().toString(), "' unitprice: '", acco.getUnitPrice().toString(), "' accouser: '", acco.getUser().getLogin(), "'");
 		acco.getProduct().getAccountEvents().remove(acco);
 		if (acco.getBill() != null) {
 			acco.getBill().setAccountEvent(null);
@@ -83,12 +85,12 @@ public class AccountEventBean implements AccountEventBeanLocal {
 	}
 	@Override
-    public List<AccountEvent> shopCash(User shoppingUser, Map<Product, BigDecimal> shopMap, boolean buyInstant) {
+	@RolesAllowed("SHOP/EXECUTE")
+	public List<AccountEvent> shopCash(User shoppingUser, Map<Product, BigDecimal> shopMap, boolean buyInstant) throws PermissionDeniedException {
 		logger.debug("Shoping cash. buyinstant {}", buyInstant);
-        userbean.fatalPermission(Permission.SHOP, RolePermission.EXECUTE, "User tried to create accountEvents via shop without SHOP:EXECUTE");
 		ArrayList<AccountEvent> ret = new ArrayList<AccountEvent>();
 		LanEvent ev = eventBean.getCurrentEvent();
-        User seller = userbean.getCurrentUser();
+		User seller = permbean.getCurrentUser();
 		BigDecimal tot = BigDecimal.ZERO;
 		for (Entry<Product, BigDecimal> prodentry : shopMap.entrySet()) {

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
@@ -7,6 +7,8 @@ import java.util.Calendar;
 import java.util.Collection;
 import java.util.List;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
 import javax.persistence.EntityManager;
@@ -19,7 +21,6 @@ import fi.insomnia.bortal.beanutil.PdfPrinter;
 import fi.insomnia.bortal.bortal.views.BillSummary;
 import fi.insomnia.bortal.enums.Permission;
 import fi.insomnia.bortal.enums.RolePermission;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.BillFacade;
 import fi.insomnia.bortal.facade.BillLineFacade;
 import fi.insomnia.bortal.model.AccountEvent;
@@ -34,20 +35,14 @@ import fi.insomnia.bortal.model.User;
 * Session Bean implementation class BillBean
 */
 @Stateless
+@DeclareRoles({ "BILL/READ", "USER_MANAGEMENT/EXECUTE", "USER_MANAGEMENT/READ" })
 public class BillBean implements BillBeanLocal {
 	private static final Logger logger = LoggerFactory.getLogger(BillBean.class);
 	@EJB
 	private BillFacade billFacade;
 	@EJB
-    private UserBeanLocal userBean;
-    @EJB
-    private SecurityBeanLocal secubean;
-    @EJB
 	private EventBeanLocal eventbean;
 	@EJB
 	private BillLineFacade billLineFacade;
@@ -55,11 +50,16 @@ public class BillBean implements BillBeanLocal {
 	private EntityManager em;
 	@EJB
+	private PermissionBeanLocal permbean;
+	@EJB
 	private ProductBeanLocal productBean;
 	@EJB
 	private PlaceBeanLocal placebean;
+	@EJB
+	private PermissionBeanLocal permissionbean;
 	/**
 	 * Default constructor.
 	 */
@@ -67,16 +67,19 @@ public class BillBean implements BillBeanLocal {
 		// TODO Auto-generated constructor stub
 	}
-    public Bill findById(int id) {
+	@Override
+	public Bill findById(int id) throws PermissionDeniedException {
 		LanEvent event = eventbean.getCurrentEvent();
 		if (id <= 0) {
 			return null;
 		}
 		Bill bill = billFacade.find(event.getId(), id);
-        User currentuser = userBean.getCurrentUser();
+		User currentuser = permbean.getCurrentUser();
+		logger.debug("bill {} user {}", bill, currentuser);
-        if (!currentuser.equals(bill.getUser())) {
+		if (bill == null || !currentuser.equals(bill.getUser())) {
-            userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ, "User tried to print the bill with insufficient rights. Bill id: ", bill);
+			bill = null;
+			permbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ, "No right to read bill: ", bill);
 		}
 		return bill;
@@ -109,14 +112,10 @@ public class BillBean implements BillBeanLocal {
 	}
 	@Override
-    public Bill createEmptyBill(User shoppingUser) {
+	public Bill createEmptyBill(User shoppingUser) throws PermissionDeniedException {
+		if (permbean.isCurrentUser(shoppingUser)) {
-        if (shoppingUser != null && !userBean.isCurrentUser(shoppingUser)) {
+			permbean.fatalPermission(Permission.SHOP, RolePermission.EXECUTE, "No permission to create empty bill for self");
-            userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE, "User tried to shop to ", shoppingUser, " another without sufficient rights");
+		} else if (!permbean.hasPermission(Permission.ACCOUNT_MANAGEMENT, RolePermission.EXECUTE)) {
-        }
-        if (shoppingUser == null) {
-            shoppingUser = userBean.getCurrentUser();
 		}
 		LanEvent event = eventbean.getCurrentEvent();
 		Bill ret = new Bill(event, shoppingUser);
@@ -128,15 +127,15 @@ public class BillBean implements BillBeanLocal {
 	}
 	@Override
-    public BillLine addProductToBill(Bill bill, Product product, BigDecimal count) {
+	@RolesAllowed("SHOP/EXECUTE")
-        userBean.fatalPermission(Permission.BILL, RolePermission.EXECUTE, "User tried to add a product to bill");
+	public BillLine addProductToBill(Bill bill, Product product, BigDecimal count) throws PermissionDeniedException {
 		// If bill number > 0 bill has been sent and extra privileges are needed
 		// to modify.
-        boolean iscurrent = userBean.isCurrentUser(bill.getUser());
+		boolean iscurrent = permissionbean.isCurrentUser(bill.getUser());
 		Integer billnr = bill.getBillNumber();
 		if (!iscurrent || billnr != null) {
-            userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE, "User tried to modify bill ", bill, "without sufficient permissions");
+			permbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE, "User tried to modify bill ", bill, "without sufficient permissions");
 		}
 		BillLine line = new BillLine(bill, product.getName(), product.getUnitName(), count, product.getPrice(), product.getVat());
 		line.setLineProduct(product);
@@ -158,27 +157,23 @@ public class BillBean implements BillBeanLocal {
 	}
 	@Override
+	@RolesAllowed("BILL/WRITE")
 	public List<Bill> findAll() {
-        if (!userBean.hasPermission(Permission.BILL, RolePermission.WRITE)) {
-            throw new PermissionDeniedException(secubean, userBean.getCurrentUser(), "User tried to list all bills without sufficient permissions");
-        }
 		return billFacade.findAll(eventbean.getCurrentEvent());
 	}
 	@Override
+	@RolesAllowed("BILL/READ")
 	public Collection<BillSummary> getBillLineSummary() {
-        userBean.fatalPermission(Permission.BILL, RolePermission.READ, "User tried to view the bill summary");
 		Collection<BillSummary> ret = billLineFacade.getLineSummary(eventbean.getCurrentEvent());
-        for (BillSummary foo : ret) {
-            logger.debug("linesum {}", foo);
-        }
 		return ret;
 	}
 	@Override
+	@RolesAllowed("BILL/WRITE")
 	public void markPaid(Bill bill, Calendar when) {
-        userBean.fatalPermission(Permission.BILL, RolePermission.WRITE, "User tried to mark the bill paid");
 		Product creditproduct = productBean.findCreditProduct();
@@ -186,7 +181,7 @@ public class BillBean implements BillBeanLocal {
 		ac.setDelivered(when);
 		ac.setEventTime(when);
 		ac.setBill(bill);
-        ac.setSeller(userBean.getCurrentUser());
+		ac.setSeller(permbean.getCurrentUser());
 		bill.setAccountEvent(ac);
 		bill.setPaidDate(when);

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/CardTemplateBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/CardTemplateBean.java
@@ -2,14 +2,14 @@ package fi.insomnia.bortal.beans;
 import java.util.List;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.CardTemplateFacade;
 import fi.insomnia.bortal.facade.PrintedCardFacade;
 import fi.insomnia.bortal.model.CardTemplate;
@@ -23,6 +23,7 @@ import fi.insomnia.bortal.util.MailMessage;
 * Session Bean implementation class CardTemplateBean
 */
 @Stateless
+@DeclareRoles({ "USER_MANAGEMENT/WRITE", "USER_MANAGEMENT/READ" })
 public class CardTemplateBean implements CardTemplateBeanLocal {
 	private static final Logger logger = LoggerFactory.getLogger(CardTemplateBean.class);
@@ -45,28 +46,28 @@ public class CardTemplateBean implements CardTemplateBeanLocal {
 	private PrintedCardFacade printedcardfacade;
 	@EJB
 	private UtilBeanLocal mailbean;
-    @EJB
-    private PlaceGroupBeanLocal pgbean;
+	@Override
+	@RolesAllowed("USER_MANAGEMENT/WRITE")
 	public List<CardTemplate> findAll() {
-        userbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
 		return cdFacade.findAll(eventBean.getCurrentEvent());
 	}
 	@Override
+	@RolesAllowed("USER_MANAGEMENT/WRITE")
 	public void create(CardTemplate card) {
-        userbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
 		cdFacade.create(card);
 	}
 	@Override
+	@RolesAllowed("USER_MANAGEMENT/READ")
 	public CardTemplate findById(Integer id) {
-        userbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ);
 		LanEvent ev = eventBean.getCurrentEvent();
 		return cdFacade.find(ev.getId(), id);
 	}
-    public void checkAllUsersCardRights() {
+	@Override
+	public void checkAllUsersCardRights() throws PermissionDeniedException {
 		for (User u : userbean.getUsers()) {
 			checkPrintedCard(u);
 		}
@@ -74,8 +75,11 @@ public class CardTemplateBean implements CardTemplateBeanLocal {
 	/**
 	 * Checks users printed card roles and return the biggestCard
+	 * 
+	 * @throws PermissionDeniedException
 	 */
-    public PrintedCard checkPrintedCard(User user) {
+	@Override
+	public PrintedCard checkPrintedCard(User user) throws PermissionDeniedException {
 		LanEvent currEvent = eventBean.getCurrentEvent();
 		List<PrintedCard> myCards = printedcardfacade.findForUser(currEvent, user);
@@ -137,7 +141,7 @@ public class CardTemplateBean implements CardTemplateBeanLocal {
 	}
-    public CardTemplate getUsersCardtype(User user) {
+	public CardTemplate getUsersCardtype(User user) throws PermissionDeniedException {
 		List<Role> roles = userbean.findUsersRoles(user);
 		CardTemplate greatestTemplate = null;
@@ -153,7 +157,7 @@ public class CardTemplateBean implements CardTemplateBeanLocal {
 	}
 	@Override
-    public PrintedCard setRfidUid(String tag, User user) {
+	public PrintedCard setRfidUid(String tag, User user) throws PermissionDeniedException {
 		PrintedCard ct = checkPrintedCard(user);
 		return setRfidUid(tag, ct);
 	}

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventBean.java
@@ -8,9 +8,7 @@ import javax.persistence.PersistenceContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.clientutils.BortalLocalContextHolder;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.EventFacade;
 import fi.insomnia.bortal.facade.EventOrganiserFacade;
 import fi.insomnia.bortal.model.EventOrganiser;
@@ -33,14 +31,13 @@ public class EventBean implements EventBeanLocal {
 	private EventOrganiserFacade eventOrganiserFacade;
 	@EJB
-    private UserBeanLocal userBean;
-    @EJB
 	private EventStatusBeanLocal eventStatusBean;
 	@PersistenceContext
 	private EntityManager em;
 	@EJB
-    private SecurityBeanLocal secubean;
+	private LoggingBeanLocal loggingbean;
+	@EJB
+	private PermissionBeanLocal permbean;
 	@Override
 	public LanEvent getEventByHostname(String hostname) {
@@ -74,7 +71,7 @@ public class EventBean implements EventBeanLocal {
 			settings = new EventOrganiser();
 			settings.setOrganisation(DEFAULT_ORGANISATION_NAME);
-            User defaultUser = userBean.getAnonUser();
+			User defaultUser = permbean.getAnonUser();
 			settings.setAdmin(defaultUser);
 			eventOrganiserFacade.create(settings);
 		}
@@ -91,19 +88,19 @@ public class EventBean implements EventBeanLocal {
 	}
 	@Override
-    public LanEvent mergeChanges(LanEvent event) {
+	public LanEvent mergeChanges(LanEvent event) throws PermissionDeniedException {
 		// TODO: Hmm..
-        if (!userBean.isCurrentUser(event.getOrganiser().getAdmin()) && !userBean.getCurrentUser().isSuperadmin()) {
+		if (!permbean.isCurrentUser(event.getOrganiser().getAdmin()) && !permbean.getCurrentUser().isSuperadmin()) {
-            throw new PermissionDeniedException(secubean, userBean.getCurrentUser(), "User tried to merge event: " + event + " without being admin of that group");
+			throw new PermissionDeniedException(loggingbean, permbean.getCurrentUser(), "User tried to merge event: " + event + " without being admin of that group");
 		}
 		return eventFacade.merge(event);
 	}
 	@Override
-    public void create(LanEvent event) {
+	public void create(LanEvent event) throws PermissionDeniedException {
 		// TODO: Hmm..
-        if (!userBean.isCurrentUser(event.getOrganiser().getAdmin()) && !userBean.getCurrentUser().isSuperadmin()) {
+		if (!permbean.isCurrentUser(event.getOrganiser().getAdmin()) && !permbean.getCurrentUser().isSuperadmin()) {
-            throw new PermissionDeniedException(secubean, userBean.getCurrentUser(), "User tried to create a new event for organiser " + event.getOrganiser() + " without being admin of that group");
+			throw new PermissionDeniedException(loggingbean, permbean.getCurrentUser(), "User tried to create a new event for organiser " + event.getOrganiser() + " without being admin of that group");
 		}
 		eventFacade.create(event);

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventMapBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventMapBean.java
 package fi.insomnia.bortal.beans;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.EventMapFacade;
 import fi.insomnia.bortal.model.EventMap;
 import fi.insomnia.bortal.model.LanEvent;
@@ -13,6 +13,7 @@ import fi.insomnia.bortal.model.LanEvent;
 * Session Bean implementation class EventMapBean
 */
 @Stateless
+@DeclareRoles({ "MAP/WRITE" })
 public class EventMapBean implements EventMapBeanLocal {
 	@EJB
@@ -20,21 +21,17 @@ public class EventMapBean implements EventMapBeanLocal {
 	@EJB
 	private EventBeanLocal eventbean;
-    @EJB
-    private UserBeanLocal userbean;
 	@Override
+	@RolesAllowed("MAP/WRITE")
 	public EventMap saveMap(EventMap eventmap) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.WRITE);
 		return eventmapfacade.merge(eventmap);
 	}
 	@Override
-    public EventMap create(String mapname) {
+	@RolesAllowed("MAP/WRITE")
-        userbean.fatalPermission(Permission.MAP, RolePermission.WRITE);
+	public EventMap create(String mapname) throws PermissionDeniedException {
 		EventMap ret = new EventMap(eventbean.getCurrentEvent());
 		ret.setName(mapname);
 		LanEvent event = eventbean.getCurrentEvent();
@@ -45,8 +42,8 @@ public class EventMapBean implements EventMapBeanLocal {
 	}
 	@Override
+	@RolesAllowed("MAP/WRITE")
 	public void sendImage(int destId, byte[] imagedata) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.WRITE);
 		LanEvent event = eventbean.getCurrentEvent();
 		EventMap map = eventmapfacade.find(event.getId(), destId);
 		if (map != null) {

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventOrganiserBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/EventOrganiserBean.java
@@ -5,7 +5,6 @@ import java.util.List;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.EventOrganiserFacade;
 import fi.insomnia.bortal.model.EventOrganiser;
@@ -19,9 +18,9 @@ public class EventOrganiserBean implements EventOrganiserBeanLocal {
 	private EventOrganiserFacade eventorgfacade;
 	@EJB
-    private UserBeanLocal userbean;
+	private LoggingBeanLocal loggingbean;
 	@EJB
-    private SecurityBeanLocal securitybean;
+	private PermissionBeanLocal permbean;
 	/**
 	 * Default constructor.
@@ -31,22 +30,22 @@ public class EventOrganiserBean implements EventOrganiserBeanLocal {
 	}
 	@Override
-    public void save(EventOrganiser eventorg) {
+	public void save(EventOrganiser eventorg) throws PermissionDeniedException {
 		fatalPermission(eventorg);
 		eventorgfacade.merge(eventorg);
 	}
-    public void fatalPermission(EventOrganiser eventorg) {
+	@Override
-        if (!userbean.isCurrentUser(eventorg.getAdmin()) && !userbean.getCurrentUser().isSuperadmin()) {
+	public void fatalPermission(EventOrganiser eventorg) throws PermissionDeniedException {
-            throw new PermissionDeniedException(securitybean, userbean.getCurrentUser(), "Someone other than admin tried to access EventOrganiser: " + eventorg.toString());
+		if (!permbean.isCurrentUser(eventorg.getAdmin()) && !permbean.getCurrentUser().isSuperadmin()) {
+			throw new PermissionDeniedException(loggingbean, permbean.getCurrentUser(), "Someone other than admin tried to access EventOrganiser: " + eventorg.toString());
 		}
 	}
 	@Override
-    public List<EventOrganiser> getEventOrganisers() {
+	public List<EventOrganiser> getEventOrganisers() throws PermissionDeniedException {
-        if(!userbean.getCurrentUser().isSuperadmin())
+		if (!permbean.getCurrentUser().isSuperadmin()) {
-        {
+			throw new PermissionDeniedException(loggingbean, permbean.getCurrentUser(), "Non-superadmin tried to list all EventOrganisers");
-            throw new PermissionDeniedException(securitybean, userbean.getCurrentUser(), "Non-superadmin tried to list all EventOrganisers");
 		}
 		return eventorgfacade.findAll();
 	}
@@ -54,7 +53,7 @@ public class EventOrganiserBean implements EventOrganiserBeanLocal {
 	@Override
 	public EventOrganiser create(String name) {
 		EventOrganiser ret = new EventOrganiser();
-        ret.setAdmin(userbean.getCurrentUser());
+		ret.setAdmin(permbean.getCurrentUser());
 		ret.setOrganisation(name);
 		eventorgfacade.create(ret);
 		return ret;

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/FoodWaveBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/FoodWaveBean.java
 package fi.insomnia.bortal.beans;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.FoodWaveTemplateFacade;
 import fi.insomnia.bortal.model.FoodWaveTemplate;
@@ -12,12 +12,10 @@ import fi.insomnia.bortal.model.FoodWaveTemplate;
 * Session Bean implementation class FoodWaveBean
 */
 @Stateless
+@DeclareRoles("SHOP/WRITE")
 public class FoodWaveBean implements FoodWaveBeanLocal {
 	@EJB
-    private UserBeanLocal userbean;
-    @EJB
 	private FoodWaveTemplateFacade fwtFacade;
 	/**
@@ -28,14 +26,14 @@ public class FoodWaveBean implements FoodWaveBeanLocal {
 	}
 	@Override
+	@RolesAllowed("SHOP/WRITE")
 	public void createTemplate(FoodWaveTemplate waveTemplate) {
-        userbean.fatalPermission(Permission.SHOP, RolePermission.WRITE, "Need SHOP:WRITE to create foodwave templates");
 		fwtFacade.create(waveTemplate);
 	}
 	@Override
+	@RolesAllowed("SHOP/WRITE")
 	public FoodWaveTemplate saveTemplate(FoodWaveTemplate waveTemplate) {
-        userbean.fatalPermission(Permission.SHOP, RolePermission.WRITE, "Need SHOP:WRITE to create foodwave templates");
 		return fwtFacade.merge(waveTemplate);
 	}

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/GameBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/GameBean.java
@@ -7,10 +7,7 @@ import java.util.List;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.NewsGroupFacade;
-import fi.insomnia.bortal.facade.UserFacade;
 import fi.insomnia.bortal.model.News;
 import fi.insomnia.bortal.model.NewsGroup;

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/JaasBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/JaasBean.java
 package fi.insomnia.bortal.beans;
 import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.List;
 import java.util.Vector;
 import javax.ejb.EJB;
@@ -10,8 +12,11 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.enums.BeanRole;
+import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.UserFacade;
 import fi.insomnia.bortal.model.Role;
+import fi.insomnia.bortal.model.RoleRight;
 import fi.insomnia.bortal.model.User;
 /**
@@ -25,21 +30,15 @@ public class JaasBean implements JaasBeanLocal, JaasBeanRemote {
 	private UserFacade userfacade;
 	@EJB
-    private SecurityBeanLocal secubean;
+	private LoggingBeanLocal secubean;
 	@EJB
 	private UserBean userbean;
+	@EJB
-    /**
+	private PermissionBeanLocal permbean;
-     * Default constructor.
-     */
-    public JaasBean() {
-        // TODO Auto-generated constructor stub
-    }
 	public User tryLogin(String username, String password) {
 		User user = userfacade.findByLogin(username.trim());
 		logger.debug("Trying to login as {}", username);
 		User ret = null;
@@ -67,19 +66,49 @@ public class JaasBean implements JaasBeanLocal, JaasBeanRemote {
 	@Override
 	public Enumeration<String> getGroupNames(String user) {
 		User usr = userbean.getUser(user);
-        Vector<String> roles = new Vector<String>();
+		HashSet<String> roleset = new HashSet<String>();
 		if (usr != null) {
-            for (Role r : usr.getRoles()) {
-                roles.add(r.getName());
+			HashSet<RoleRight> mappedRoles = new HashSet<RoleRight>();
+			List<Role> usrroles = userbean.localFindUsersRoles(usr);
+			for (Role r : usrroles) {
+				for (RoleRight rr : r.getRoleRights()) {
+					if (!mappedRoles.contains(rr)) {
+						mappedRoles.add(rr);
+						if (rr.isExecute()) {
+							roleset.add(rr.getPermission().getName());
+							roleset.add(rr.getPermission().append(RolePermission.EXECUTE));
 						}
-            if (usr.isSuperadmin()) {
+						if (rr.isRead()) {
-                roles.add(BeanRole.SUPERADMIN.name());
+							roleset.add(rr.getPermission().getName());
+							roleset.add(rr.getPermission().append(RolePermission.READ));
+						}
+						if (rr.isWrite()) {
+							roleset.add(rr.getPermission().getName());
+							roleset.add(rr.getPermission().append(RolePermission.WRITE));
 						}
 					}
+				}
+			}
+			if (permbean.isLoggedIn()) {
+				roleset.add("USER");
+			}
+			if (usr.isSuperadmin()) {
+				for (Permission p : Permission.values()) {
+					roleset.add(p.getName());
-        logger.debug("group names for user {}: {}", user, roles);
+					roleset.add(p.append(RolePermission.EXECUTE));
-        return roles.elements();
+					roleset.add(p.append(RolePermission.READ));
+					roleset.add(p.append(RolePermission.WRITE));
 				}
+				roleset.add(BeanRole.SUPERADMIN.name());
+			}
+		}
+		Vector<String> retvect = new Vector<String>();
+		retvect.addAll(roleset);
+		logger.debug("group names for user {}: {}", user, retvect);
+		return retvect.elements();
+	}
 }
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceBean.java
@@ -15,10 +15,19 @@ import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
-import fi.insomnia.bortal.enums.Permission;
+import javax.annotation.Resource;
-import fi.insomnia.bortal.enums.RolePermission;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.EJB;
+import javax.ejb.Stateless;
+import javax.ejb.Timeout;
+import javax.ejb.Timer;
+import javax.ejb.TimerService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.exceptions.BortalCatchableException;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.GroupMembershipFacade;
 import fi.insomnia.bortal.facade.PlaceFacade;
 import fi.insomnia.bortal.facade.PlaceGroupFacade;
@@ -31,22 +40,12 @@ import fi.insomnia.bortal.model.PlaceGroup;
 import fi.insomnia.bortal.model.Product;
 import fi.insomnia.bortal.model.User;
-import javax.annotation.Resource;
-import javax.ejb.EJB;
-import javax.ejb.Stateless;
-import javax.ejb.Timeout;
-import javax.ejb.Timer;
-import javax.ejb.TimerService;
-import javax.persistence.RollbackException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 /**
 * 
 * @author tuukka
 */
 @Stateless
+@DeclareRoles({ "MAP/READ", "MAP/WRITE", "MAP/EXECUTE", "SHOP/EXECUTE" })
 public class PlaceBean implements PlaceBeanLocal {
 	private static final String PLACE_RESERVE_TIMEOUTER = "Map reserve timeouter";
 	private static final Logger logger = LoggerFactory.getLogger(PlaceBean.class);
@@ -70,16 +69,13 @@ public class PlaceBean implements PlaceBeanLocal {
 	private EventBeanLocal eventBean;
 	@EJB
-    private PlaceGroupBeanLocal pgbean;
+	private LoggingBeanLocal secubean;
-    @EJB
-    private SecurityBeanLocal secubean;
 	@EJB
-    private EventMapBeanLocal mapfacade;
+	private PermissionBeanLocal permbean;
 	@Override
+	@RolesAllowed("MAP/WRITE")
 	public Place mergeChanges(Place place) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.WRITE, "User tried to modify place ", place);
 		return placeFacade.merge(place);
 	}
@@ -87,7 +83,7 @@ public class PlaceBean implements PlaceBeanLocal {
 	public BigDecimal totalReservationPrice(EventMap e, Place newPlace) {
 		Set<Place> places = new HashSet<Place>();
-        places.addAll(placeFacade.findUsersReservations(e, userbean.getCurrentUser()));
+		places.addAll(placeFacade.findUsersReservations(e, permbean.getCurrentUser()));
 		if (newPlace != null) {
 			places.add(newPlace);
@@ -137,8 +133,8 @@ public class PlaceBean implements PlaceBeanLocal {
 	}
 	@Override
+	@RolesAllowed("MAP/EXECUTE")
 	public boolean reservePlace(Place p, User user) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.EXECUTE, "User does not have rights to reserve ( and buy) a place");
 		boolean ret = placeFacade.reservePlace(p, user);
 		boolean foundTimeout = false;
@@ -163,7 +159,7 @@ public class PlaceBean implements PlaceBeanLocal {
 	@Override
 	public void releaseUsersPlaces() {
 		logger.debug("timeouting places");
-        placeFacade.releasePlaces(userbean.getCurrentUser());
+		placeFacade.releasePlaces(permbean.getCurrentUser());
 	}
 	@Override
@@ -173,10 +169,10 @@ public class PlaceBean implements PlaceBeanLocal {
 	}
 	@Override
+	@RolesAllowed("MAP/EXECUTE")
 	public boolean buySelectedPlaces(EventMap e) throws BortalCatchableException {
-        userbean.fatalPermission(Permission.MAP, RolePermission.EXECUTE, "User does not have rights to reserve ( and buy) a place");
 		LanEvent event = eventBean.getCurrentEvent();
-        User user = userbean.getCurrentUser();
+		User user = permbean.getCurrentUser();
 		List<Place> places = placeFacade.findUsersReservations(e, user);
 		if (places.size() <= 0) {
@@ -188,7 +184,7 @@ public class PlaceBean implements PlaceBeanLocal {
 		// PlaceGroup pg = pgbean.createPlaceGroup(user);
 		BigDecimal totalprice = totalReservationPrice(e, null);
-        BigDecimal balance = userbean.getCurrentUser().getAccountBalance();
+		BigDecimal balance = permbean.getCurrentUser().getAccountBalance();
 		if (balance.compareTo(totalprice) < 0) {
 			logger.debug("User {} Could not buy things because account balance is too low!", user);
 			return false;
@@ -253,15 +249,15 @@ public class PlaceBean implements PlaceBeanLocal {
 	}
 	@Override
+	@RolesAllowed("MAP/WRITE")
 	public int setBuyable(EventMap map, String like, boolean b) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.WRITE, "User tried to change place buyable: " + like + " to " + b);
 		return placeFacade.setBuyable(map, like, b);
 	}
 	@Override
+	@RolesAllowed("MAP/READ")
 	public Place find(EventPk id) {
-        userbean.fatalPermission(Permission.MAP, RolePermission.READ, "error reading place ", id);
 		return placeFacade.find(id);
 	}
@@ -284,13 +280,13 @@ public class PlaceBean implements PlaceBeanLocal {
 	}
 	@Override
-    public Place lockPlaces(User user, Place place) {
+	@RolesAllowed("SHOP/EXECUTE")
+	public Place lockPlaces(User user, Place place) throws PermissionDeniedException {
 		if (place.isTaken()) {
 			logger.warn("Place {} is already taken", place);
-            throw new PermissionDeniedException(secubean, userbean.getCurrentUser(), "NO RIGHT");
+			throw new PermissionDeniedException(secubean, permbean.getCurrentUser(), "Place already taken!");
 		}
-        userbean.fatalPermission(Permission.SHOP, RolePermission.EXECUTE, "User tried to lock place without SHOP:EXECUTE");
 		LanEvent ev = eventBean.getCurrentEvent();
 		PlaceGroup pg = new PlaceGroup(ev, Calendar.getInstance(), Calendar.getInstance(), true);
 		pg.setCreator(user);

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceGroupBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceGroupBean.java
@@ -3,6 +3,8 @@ package fi.insomnia.bortal.beans;
 import java.io.OutputStream;
 import java.util.List;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
@@ -20,9 +22,7 @@ import com.pdfjet.TextLine;
 import fi.insomnia.bortal.enums.Permission;
 import fi.insomnia.bortal.enums.RolePermission;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.GroupMembershipFacade;
-import fi.insomnia.bortal.facade.PlaceGroupFacade;
 import fi.insomnia.bortal.model.GroupMembership;
 import fi.insomnia.bortal.model.User;
@@ -30,6 +30,7 @@ import fi.insomnia.bortal.model.User;
 * Session Bean implementation class PlaceGroupBean
 */
 @Stateless
+@DeclareRoles("USER")
 public class PlaceGroupBean implements PlaceGroupBeanLocal {
 	private static final Logger logger = LoggerFactory.getLogger(PlaceGroupBean.class);
@@ -38,13 +39,12 @@ public class PlaceGroupBean implements PlaceGroupBeanLocal {
 	private EventBeanLocal eventbean;
 	@EJB
-    private PlaceGroupFacade pgfacade;
-    @EJB
 	private GroupMembershipFacade gmemfacade;
 	@EJB
-    private UserBeanLocal userbean;
+	private LoggingBeanLocal loggingbean;
 	@EJB
-    private SecurityBeanLocal secubean;
+	private PermissionBeanLocal permbean;
 	/**
 	 * Default constructor.
@@ -68,23 +68,23 @@ public class PlaceGroupBean implements PlaceGroupBeanLocal {
 	// }
 	@Override
+	@RolesAllowed("USER")
 	public List<GroupMembership> getMembershipsAndCreations(User user) {
-        userbean.fatalNotLoggedIn();
 		List<GroupMembership> ret = gmemfacade.findMemberOrCreator(eventbean.getCurrentEvent(), user);
 		return ret;
 	}
 	@Override
+	@RolesAllowed("USER")
 	public List<GroupMembership> getMemberships(User user) {
-        userbean.fatalNotLoggedIn();
 		List<GroupMembership> ret = gmemfacade.findMemberships(eventbean.getCurrentEvent(), user);
 		return ret;
 	}
 	@Override
+	@RolesAllowed("USER")
 	public boolean associateToToken(User user, String token) {
 		token = token.trim();
-        userbean.fatalNotLoggedIn();
 		GroupMembership mem = gmemfacade.findByToken(token);
 		boolean ret = false;
@@ -156,10 +156,10 @@ public class PlaceGroupBean implements PlaceGroupBeanLocal {
 	}
 	@Override
-    public void releaseAndGenerateToken(GroupMembership gmem) {
+	public void releaseAndGenerateToken(GroupMembership gmem) throws PermissionDeniedException {
-        if (!userbean.getCurrentUser().getId().equals(gmem.getPlaceGroup().getCreator().getId()) ||
+		if (!permbean.getCurrentUser().getId().equals(gmem.getPlaceGroup().getCreator().getId()) ||
-                !userbean.hasPermission(Permission.MAP, RolePermission.WRITE)) {
+				!permbean.hasPermission(Permission.MAP, RolePermission.WRITE)) {
-            throw new PermissionDeniedException(secubean, userbean.getCurrentUser(), "User tried to release and generate group membership: " + gmem);
+			throw new PermissionDeniedException(loggingbean, permbean.getCurrentUser(), "User tried to release and generate group membership: " + gmem);
 		}
 		gmem.setUser(null);
 		gmem.setInviteToken(gmemfacade.createInviteToken(eventbean.getCurrentEvent()));

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
 package fi.insomnia.bortal.beans;
-import java.awt.image.BufferedImage;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import javax.imageio.ImageIO;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.EventMapFacade;
 import fi.insomnia.bortal.facade.PlaceFacade;
 import fi.insomnia.bortal.model.EventMap;
-import fi.insomnia.bortal.model.Place;
-import fi.insomnia.bortal.model.PlaceGroup;
-import fi.insomnia.bortal.model.User;
 /**
 * Session Bean implementation class PlaceMapBean
@@ -30,8 +13,6 @@ import fi.insomnia.bortal.model.User;
 @Stateless
 public class PlaceMapBean implements PlaceMapBeanLocal {
-    private static final Logger logger = LoggerFactory.getLogger(PlaceMapBean.class);
 	/**
 	 * Default constructor.
 	 */
@@ -45,12 +26,9 @@ public class PlaceMapBean implements PlaceMapBeanLocal {
 	// private EventMapBean eventmapBean;
 	private EventMapFacade eventMapFacade;
 	@EJB
-    private SecurityBeanLocal secubean;
-    @EJB
-    private UserBeanLocal userbean;
-    @EJB
 	private EventBeanLocal eventbean;
+	@Override
 	public Long selectablePlaceCount(EventMap map) {
 		return placeFacade.countSelectable(map);

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PollBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PollBean.java
@@ -4,13 +4,14 @@ import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.facade.EventChildGenericFacade;
 import fi.insomnia.bortal.facade.PollAnswerFacade;
 import fi.insomnia.bortal.facade.PollFacade;
 import fi.insomnia.bortal.facade.PollQuestionFacade;
@@ -25,6 +26,7 @@ import fi.insomnia.bortal.model.PossibleAnswer;
 */
 @Stateless
+@DeclareRoles("USER")
 public class PollBean implements PollBeanLocal {
 	@EJB
@@ -37,7 +39,7 @@ public class PollBean implements PollBeanLocal {
 	private EventBeanLocal eventBean;
 	@EJB
-    private UserBeanLocal userBean;
+	private PermissionBeanLocal permbean;
 	@EJB
 	private PossibleAnswerFacade possibleAnswerFacade;
@@ -55,11 +57,10 @@ public class PollBean implements PollBeanLocal {
 	}
 	@Override
+	@RolesAllowed("USER")
 	public List<Poll> findPolls() {
 		List<Poll> list = new ArrayList<Poll>();
-        userBean.fatalNotLoggedIn();
 		for (Poll p : pollFacade.findAll(eventBean.getCurrentEvent())) {
 			if (pollIsUsable(p)) {
 				list.add(p);
@@ -101,14 +102,15 @@ public class PollBean implements PollBeanLocal {
 	}
 	@Override
+	@RolesAllowed("USER")
 	public boolean createAnswers(List<PollAnswer> answers) {
-        userBean.fatalNotLoggedIn();
 		for (PollAnswer answer : answers) {
-            answer.setUser(userBean.getCurrentUser());
+			answer.setUser(permbean.getCurrentUser());
-            if (answer.getId().getId() == null)
+			if (answer.getId().getId() == null) {
 				pollAnswerFacade.create(answer);
 			}
+		}
 		return false;
 	}

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ProductBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ProductBean.java
@@ -6,11 +6,11 @@ import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.AccountEventFacade;
 import fi.insomnia.bortal.facade.DiscountInstanceFacade;
 import fi.insomnia.bortal.facade.ProductFacade;
@@ -26,6 +26,7 @@ import fi.insomnia.bortal.model.User;
 * Session Bean implementation class ProductBean
 */
 @Stateless
+@DeclareRoles({ "PRODUCT/WRITE", "PRODUCT/READ", "SHOP/EXECUTE" })
 public class ProductBean implements ProductBeanLocal {
 	private static final String DEFAULT_CREDIT_PRODCT = "Automagic Credit product";
@@ -35,8 +36,6 @@ public class ProductBean implements ProductBeanLocal {
 	@EJB
 	private EventBeanLocal eventBean;
-    @EJB
-    private UserBeanLocal userbean;
 	@EJB
 	private AccountEventFacade accounteventfacade;
@@ -45,6 +44,9 @@ public class ProductBean implements ProductBeanLocal {
 	@EJB
 	private UserFacade userFacade;
+	@EJB
+	private PermissionBeanLocal permbean;
 	/**
 	 * Default constructor.
 	 */
@@ -53,13 +55,14 @@ public class ProductBean implements ProductBeanLocal {
 	}
 	@Override
+	@RolesAllowed("SHOP/EXECUTE")
 	public List<Product> listUserShoppableProducts() {
 		return productFacade.findPrepaidProducts(eventBean.getCurrentEvent());
 	}
 	@Override
+	@RolesAllowed("PRODUCT/WRITE")
 	public Product createProduct(String name, BigDecimal price) {
-        userbean.fatalPermission(Permission.PRODUCT, RolePermission.WRITE, "User tried to create product: ", name);
 		Product entity = new Product(eventBean.getCurrentEvent(), name, price);
 		productFacade.create(entity);
@@ -67,14 +70,14 @@ public class ProductBean implements ProductBeanLocal {
 	}
 	@Override
+	@RolesAllowed("PRODUCT/READ")
 	public List<Product> getProducts() {
-        userbean.fatalPermission(Permission.PRODUCT, RolePermission.READ, "User tried to fetch all products");
 		return productFacade.findAll(eventBean.getCurrentEvent());
 	}
 	@Override
+	@RolesAllowed("PRODUCT/WRITE")
 	public Product mergeChanges(Product product) {
-        userbean.fatalPermission(Permission.PRODUCT, RolePermission.WRITE, "User tried to save changes for product: ", product);
 		return productFacade.merge(product);
 	}
@@ -123,7 +126,7 @@ public class ProductBean implements ProductBeanLocal {
 		AccountEvent ret = new AccountEvent(eventBean.getCurrentEvent(), user, product, unitPrice, quantity, Calendar.getInstance());
 		ret.setDelivered(Calendar.getInstance());
-        ret.setSeller(userbean.getCurrentUser());
+		ret.setSeller(permbean.getCurrentUser());
 		// user.getAccountEvents().add(ret);
 		accounteventfacade.create(ret);
 		LanEvent event = eventBean.getCurrentEvent();
@@ -150,8 +153,8 @@ public class ProductBean implements ProductBeanLocal {
 	}
 	@Override
+	@RolesAllowed("SHOP/EXECUTE")
 	public List<Product> findForStaffshop() {
-        userbean.fatalPermission(Permission.SHOP, RolePermission.EXECUTE, "user  tried to get adminshoppable products from productbean without SHOP:EXECUTE");
 		return productFacade.findAll(eventBean.getCurrentEvent());
 	}

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ReaderBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ReaderBean.java
@@ -2,14 +2,14 @@ package fi.insomnia.bortal.beans;
 import java.util.Calendar;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.exceptions.BortalCatchableException;
 import fi.insomnia.bortal.facade.GroupMembershipFacade;
 import fi.insomnia.bortal.facade.PrintedCardFacade;
@@ -25,6 +25,7 @@ import fi.insomnia.bortal.model.ReaderEvent;
 * Session Bean implementation class ReaderBean
 */
 @Stateless
+@DeclareRoles("GAME/EXECUTE")
 public class ReaderBean implements ReaderBeanLocal {
 	@EJB
@@ -39,8 +40,6 @@ public class ReaderBean implements ReaderBeanLocal {
 	private GroupMembershipFacade gmfacade;
 	@EJB
 	private CardTemplateBeanLocal cardtemplatebean;
-    @EJB
-    private UserBeanLocal userbean;
 	private static final Logger logger = LoggerFactory.getLogger(ReaderBean.class);
 	@Override
@@ -60,7 +59,7 @@ public class ReaderBean implements ReaderBeanLocal {
 	}
 	@Override
-    public ReaderEvent assocTagToPlacecode(String tag, String readerIdent, String placecode) throws BortalCatchableException {
+	public ReaderEvent assocTagToPlacecode(String tag, String readerIdent, String placecode) throws BortalCatchableException, PermissionDeniedException {
 		GroupMembership gm = gmfacade.findByToken(placecode);
 		if (gm == null) {
@@ -116,8 +115,8 @@ public class ReaderBean implements ReaderBeanLocal {
 	}
 	@Override
+	@RolesAllowed("GAME/EXECUTE")
 	public ReaderEvent merge(ReaderEvent e) {
-        userbean.fatalPermission(Permission.GAME, RolePermission.EXECUTE, "Tried to change readerevent");
 		return readerEventFacade.merge(e);
 	}
 }
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
@@ -9,14 +9,17 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import javax.annotation.Resource;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
+import javax.ejb.SessionContext;
 import javax.ejb.Stateless;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.facade.RoleFacade;
 import fi.insomnia.bortal.facade.RoleRightFacade;
 import fi.insomnia.bortal.model.LanEvent;
@@ -28,10 +31,14 @@ import fi.insomnia.bortal.model.RoleRight;
 * @author tuukka
 */
 @Stateless
+@DeclareRoles({ "ROLE_MANAGEMENT/READ", "ROLE_MANAGEMENT/WRITE" })
 public class RoleBean implements RoleBeanLocal {
-//    private static final String PUBLIC_ROLE_NAME = BeanRole.ANONYMOUS.toString();
+	// private static final String PUBLIC_ROLE_NAME =
+	// BeanRole.ANONYMOUS.toString();
+	private static final Logger logger = LoggerFactory.getLogger(RoleBean.class);
+	@Resource
+	private SessionContext sc;
 	@EJB
 	private EventBeanLocal eventBean;
 	@EJB
@@ -39,38 +46,39 @@ public class RoleBean implements RoleBeanLocal {
 	@EJB
 	private RoleRightFacade rrfacade;
-    @EJB
+	@Override
-    private UserBeanLocal userbean;
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
-    private static final Logger logger = LoggerFactory.getLogger(RoleBean.class);
 	public List<Role> listRoles() {
-        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ, "User tried to listRoles");
 		return listRoles(eventBean.getCurrentEvent());
 	}
 	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
 	public List<Role> listRoles(LanEvent event) {
 		return roleFacade.findAll(event);
 	}
+	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/WRITE")
 	public Role mergeChanges(Role role) {
-        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.WRITE, "User tried merge role changes for ", role);
 		return roleFacade.merge(role);
 	}
+	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/WRITE")
 	public Role create(Role role) {
-        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.WRITE, "User tried to create role", role.getName());
 		roleFacade.create(role);
 		return role;
 	}
+	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
 	public List<Role> getPossibleParents(Role role) {
-        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ, "User tried to get possible parents for role ", role);
 		List<Role> roleList = listRoles();
-        if (role == null)
+		if (role == null) {
 			return roleList;
+		}
 		List<Role> children = getAllChilds(role, new HashSet<Role>());
@@ -101,6 +109,8 @@ public class RoleBean implements RoleBeanLocal {
 		return returnList;
 	}
+	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
 	public List<RoleRight> getRoleRights(Role r) {
 		List<RoleRight> ret = new ArrayList<RoleRight>();
@@ -111,28 +121,13 @@ public class RoleBean implements RoleBeanLocal {
 	}
 	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/WRITE")
 	public RoleRight mergeChanges(RoleRight row) {
-        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.WRITE, "User tried merge changes for RoleRight", row);
 		return rrfacade.merge(row);
 	}
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
-//    public Role getOrCreatePublicRole() {
-//
-//        Role ret = roleFacade.findByName(PUBLIC_ROLE_NAME);
-//        if (ret == null) {
-//
-//            ret = roleFacade.createRole(eventBean.getCurrentEvent(), PUBLIC_ROLE_NAME);
-//            AccessRight perm = accessRightFacade.findByPermission(Permission.LOGIN);
-//            RoleRight rr = rrfacade.createRoleRight(ret, perm);
-//            rr.setRead(true);
-//        }
-//        return ret;
-//
-//    }
 	public RoleRight findRoleRight(Role role, Permission perm) {
 		RoleRight rr = rrfacade.find(perm, role);
 		if (rr == null) {
@@ -141,11 +136,11 @@ public class RoleBean implements RoleBeanLocal {
 		}
 		return rr;
 	}
 	@Override
+	@RolesAllowed("ROLE_MANAGEMENT/READ")
 	public Role find(int id, LanEvent event) {
 		return roleFacade.find(event.getId(), id);
 	}
 }
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/SecurityBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/SecurityBean.java
-package fi.insomnia.bortal.beans;
-import java.util.Calendar;
-import javax.annotation.Resource;
-import javax.ejb.EJB;
-import javax.ejb.Stateless;
-import javax.ejb.TransactionManagement;
-import javax.ejb.TransactionManagementType;
-import javax.transaction.UserTransaction;
-import org.slf4j.Logger;
-import fi.insomnia.bortal.facade.LogEntryFacade;
-import fi.insomnia.bortal.facade.LogEntryTypeFacade;
-import fi.insomnia.bortal.model.LogEntry;
-import fi.insomnia.bortal.model.LogEntryType;
-import fi.insomnia.bortal.model.User;
-/**
- * Session Bean implementation class SercurityBean
- */
-@Stateless
-@TransactionManagement(TransactionManagementType.BEAN)
-public class SecurityBean implements SecurityBeanLocal {
-    private static final boolean DEBUG = true;
-    private final Logger logger = org.slf4j.LoggerFactory.getLogger(SecurityBean.class);
-    @EJB
-    private LogEntryTypeFacade typeFacade;
-    @EJB
-    private LogEntryFacade entryFacade;
-    @Resource
-    UserTransaction utx;
-    // @Override
-    // public LogEntry logPermissionDenied(User user, Exception exception) {
-    // LogEntry entry = null;
-    //
-    // entry = logMessage(SecurityLogType.permissionDenied, user,
-    // exception.getMessage());
-    // logger.debug(entry.toString(), exception);
-    //
-    // return entry;
-    //
-    // }
-    //
-    // public LogEntry logException(User user, Exception exception) {
-    //
-    // LogEntry entry = logMessage(SecurityLogType.unknownException, user,
-    // exception.getMessage());
-    // logger.debug(entry.toString(), exception);
-    // return entry;
-    // }
-    //
-    // public LogEntry logMessage(User user, String... description) {
-    //
-    // LogEntry entry = logMessage(SecurityLogType.genericMessage, user,
-    // toString(description));
-    //
-    // return entry;
-    // }
-    //
-    // private static final String toString(String... desc) {
-    // StringBuilder msg = new StringBuilder();
-    // for (String msgpart : desc) {
-    // msg.append(msgpart);
-    // }
-    // return msg.toString();
-    // }
-    //
-    // public LogEntry logMessage(String... description) {
-    // LogEntry entry = logMessage(SecurityLogType.genericMessage,
-    // toString(description));
-    // return entry;
-    //
-    // }
-    // public LogEntry logPermissionDenied(User currentuser, String... message)
-    // {
-    // return logMessage(SecurityLogType.permissionDenied, currentuser,
-    // toString(message));
-    // }
-    public LogEntry logMessage(SecurityLogType paramType, User user, String... description) {
-        LogEntry entry = null;
-        try {
-            String desc = toString(description);
-            utx.begin();
-            LogEntryType type = typeFacade.findOrCreate(paramType);
-            entry = new LogEntry(Calendar.getInstance());
-            entry.setType(type);
-            entry.setDescription(desc);
-            entry.setUser(user);
-            entryFacade.create(entry);
-            if (DEBUG) {
-                logger.debug("SECURITY DEBUG: Type: \"{}\" user \"{}\", description \"{}\"", new String[] { paramType.name(), (user == null) ? "null" : user.getLogin(), desc });
-            }
-            utx.commit();
-        } catch (Exception e) {
-            logger.warn("Exception at SecurityBean", e);
-        }
-        return entry;
-    }
-    private static final String toString(String... desc) {
-        StringBuilder msg = new StringBuilder();
-        for (String msgpart : desc) {
-            msg.append(msgpart);
-        }
-        return msg.toString();
-    }
-}
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
 package fi.insomnia.bortal.beans;
-import java.security.Principal;
 import java.util.ArrayList;
-import java.util.Calendar;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
 import javax.ejb.EJB;
 import javax.ejb.LocalBean;
-import javax.ejb.SessionContext;
 import javax.ejb.Stateless;
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
@@ -19,17 +16,14 @@ import javax.persistence.PersistenceContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import fi.insomnia.bortal.clientutils.BortalLocalContextHolder;
 import fi.insomnia.bortal.enums.Permission;
 import fi.insomnia.bortal.enums.RolePermission;
-import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.facade.GroupMembershipFacade;
 import fi.insomnia.bortal.facade.UserFacade;
 import fi.insomnia.bortal.facade.UserImageFacade;
 import fi.insomnia.bortal.model.GroupMembership;
 import fi.insomnia.bortal.model.LanEvent;
 import fi.insomnia.bortal.model.Role;
-import fi.insomnia.bortal.model.RoleRight;
 import fi.insomnia.bortal.model.User;
 import fi.insomnia.bortal.model.UserImage;
 import fi.insomnia.bortal.util.MailMessage;
@@ -43,7 +37,6 @@ import fi.insomnia.bortal.utilities.I18n;
 public class UserBean implements UserBeanLocal {
 	private static final Logger logger = LoggerFactory.getLogger(UserBean.class);
-    public static final String DEFAULT_USER_LOGIN = "ANONYMOUS";
 	/**
 	 * Java EE container injektoi tämän luokkamuuttujan luokan luonnin
@@ -53,11 +46,6 @@ public class UserBean implements UserBeanLocal {
 	private UserFacade userFacade;
 	@PersistenceContext
 	private EntityManager em;
-    @Resource
-    private SessionContext context;
-    @EJB
-    private SecurityBeanLocal secubean;
 	@EJB
 	private EventBeanLocal eventBean;
@@ -71,24 +59,26 @@ public class UserBean implements UserBeanLocal {
 	@EJB
 	private CardTemplateBeanLocal ctbean;
 	@EJB
-    private PlaceGroupBeanLocal pgbean;
-    @EJB
 	private AccountEventBeanLocal acbean;
 	@EJB
 	private GroupMembershipFacade groupMembershipFacade;
+	@EJB
+	private PermissionBeanLocal permbean;
 	@Override
+	@RolesAllowed("USER_MANAGEMENT/READ")
 	public List<User> getUsers() {
-        fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ);
 		List<User> ret = userFacade.findAll();
 		return ret;
 	}
 	@Override
-    public User mergeChanges(User user) {
+	public User mergeChanges(User user) throws PermissionDeniedException {
-        if (!isCurrentUser(user)) {
+		if (!permbean.isCurrentUser(user)) {
-            fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
+			permbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
 		}
 		ctbean.checkPrintedCard(user);
@@ -104,104 +94,27 @@ public class UserBean implements UserBeanLocal {
 	}
 	@Override
-    public boolean isCurrentUser(User user) {
+	public List<Role> findUsersRoles(User u) throws PermissionDeniedException {
-        return (context.getCallerPrincipal() == null || user == null) ? false : context.getCallerPrincipal().getName().equals(user.getLogin());
+		User currusr = permbean.getCurrentUser();
-    }
+		if (!currusr.equals(u)) {
+			permbean.fatalNotLoggedIn();
-    @Override
-    public boolean isLoggedIn() {
-        return !getAnonUser().equals(getCurrentUser()) || getCurrentUser().isSuperadmin();
-    }
-    @Override
-    public User getCurrentUser() {
-        Principal principal = context.getCallerPrincipal();
-        User ret = userFacade.findByLogin(principal.getName());
-        if (ret == null) {
-            ret = getAnonUser();
-        }
-        return ret;
-    }
-    /**
-     * Makes sure default user and public role exist and the user is member of
-     * the role.
-     */
-    @Override
-    public User getAnonUser() {
-        User defaultUser = userFacade.findByLogin(DEFAULT_USER_LOGIN);
-        if (defaultUser == null) {
-            defaultUser = new User();
-            defaultUser.setLogin(DEFAULT_USER_LOGIN);
-            defaultUser.setNick(DEFAULT_USER_LOGIN);
-            userFacade.create(defaultUser);
-            defaultUser.setSuperadmin(true);
-        }
-        return defaultUser;
-    }
-    @Override
-    public boolean hasPermission(Permission target, RolePermission permission) {
-        User user = getCurrentUser();
-        Calendar start = Calendar.getInstance();
-        Boolean ret = BortalLocalContextHolder.hasPermission(target, permission);
-        // Boolean ret = BortalLocalContextHolder.hasPermission(target,
-        // permission);
-        if (ret == null) {
-            for (Role role : this.findUsersRoles(user)) {
-                if (role == null) {
-                    continue;
-                }
-                for (RoleRight rr : role.getRoleRights()) {
-                    BortalLocalContextHolder.setPermission(rr);
-                    ret = BortalLocalContextHolder.hasPermission(target, permission);
-                    if (ret != null) {
-                        break;
-                    }
-                }
-                if (ret != null) {
-                    break;
-                }
-            }
-        }
-        // TODO: FIX THIS!! really bad idea....
-        if (user.isSuperadmin()) {
-            return true;
-        }
-        if (ret == null) {
-            ret = false;
-            BortalLocalContextHolder.setPermission(target, permission, ret);
 		}
-        return ret;
+		return localFindUsersRoles(u);
-    }
-    @Override
-    public List<Role> findUsersRoles(User u) {
-        User currusr = getCurrentUser();
-        if (!currusr.equals(u)) {
-            fatalNotLoggedIn();
 	}
+	public List<Role> localFindUsersRoles(User u) {
 		Set<Role> checkedRoles = new HashSet<Role>();
 		addRecursive(checkedRoles, u.getRoles());
-        if (isLoggedIn()) {
+		if (permbean.isLoggedIn()) {
-            LanEvent event = eventBean.getCurrentEvent();
+			LanEvent event = eventBean.getCurrentEvent();
+			// add roles from events default role.
 			addRecursive(checkedRoles, event.getDefaultRole());
+			// add roles from accountEvents of the user
 			addRecursive(checkedRoles, acbean.getRolesFromAccountEvents(u));
 			for (GroupMembership member : groupMembershipFacade.findMemberships(event, u)) {
@@ -210,7 +123,6 @@ public class UserBean implements UserBeanLocal {
 			}
 		}
 		return new ArrayList<Role>(checkedRoles);
 	}
 	private void addRecursive(Set<Role> checkedRoles, Collection<Role> roles) {
@@ -231,44 +143,16 @@ public class UserBean implements UserBeanLocal {
 	}
 	@Override
-    public void fatalPermission(Permission target, RolePermission permission, Object... failmessage) {
+	@RolesAllowed("USER")
-        boolean ret = hasPermission(target, permission);
+	public UserImage uploadImage(Integer userid, String contentType, byte[] image, String filename, String description) throws PermissionDeniedException {
-        if (!ret) {
+		User user = permbean.getCurrentUser();
-            StringBuilder message = new StringBuilder("Target: ").append(target).append(" permission: ").append(permission);
-            if (failmessage == null || failmessage.length == 0) {
-                message.append(" MSG: SessionHandler mbean permission exception: Target: ")
-                        .append(target)
-                        .append(", Permission: ")
-                        .append(permission);
-            } else {
-                for (Object part : failmessage) {
-                    message.append(part == null ? "NULL" : part.toString());
-                }
-            }
-            // throw new SecurityException("Foobar");
-            throw new PermissionDeniedException(secubean, getCurrentUser(), message.toString());
-        }
-    }
-    @Override
-    public void fatalNotLoggedIn() {
-        if (!isLoggedIn()) {
-            throw new PermissionDeniedException(secubean, getCurrentUser(), "User is not logged in!");
-        }
-    }
-    @Override
-    public UserImage uploadImage(Integer userid, String contentType, byte[] image, String filename, String description) {
-        fatalNotLoggedIn();
-        User user = getCurrentUser();
 		logger.debug("uploading image to userid {}", userid);
 		if (userid == null || userid.equals(0)) {
 			userid = user.getId();
 		}
-        if (!getCurrentUser().getId().equals(userid)) {
+		if (!permbean.getCurrentUser().getId().equals(userid)) {
-            fatalPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE, "usert tried to save picture to userid " + userid + " without sufficient permissions!");
+			permbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE, "usert tried to save picture to userid " + userid + " without sufficient permissions!");
 			user = userFacade.find(userid);
 		}
 		UserImage userimage = new UserImage(user);
@@ -288,15 +172,15 @@ public class UserBean implements UserBeanLocal {
 	}
 	@Override
-    public UserImage findUserImage(int id) {
+	public UserImage findUserImage(int id) throws PermissionDeniedException {
 		UserImage ret = null;
-        if (id == 0 && isLoggedIn()) {
+		if (id == 0 && permbean.isLoggedIn()) {
-            ret = getCurrentUser().getCurrentImage();
+			ret = permbean.getCurrentUser().getCurrentImage();
 		} else {
 			ret = userimagefacade.find(id);
-            if (ret != null && !this.isCurrentUser(ret.getUser())) {
+			if (ret != null && !permbean.isCurrentUser(ret.getUser())) {
-                fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ, "Not enough rights to access image id: " + id + " for user " + ret.getUser());
+				permbean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ, "Not enough rights to access image id: " + id + " for user " + ret.getUser());
 			}
 		}
 		return ret;

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UtilBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UtilBean.java
@@ -2,7 +2,6 @@ package fi.insomnia.bortal.beans;
 import java.awt.Graphics2D;
 import java.awt.RenderingHints;
-import java.awt.geom.AffineTransform;
 import java.awt.image.BufferedImage;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -22,10 +21,6 @@ import javax.jms.Queue;
 import javax.jms.QueueConnection;
 import javax.jms.QueueConnectionFactory;
 import javax.jms.Session;
-import javax.persistence.EntityManager;
-import javax.persistence.EntityManagerFactory;
-import javax.persistence.PersistenceContext;
-import javax.persistence.PersistenceUnit;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -45,12 +40,6 @@ public class UtilBean implements UtilBeanLocal {
 	private static final int SCALEWIDTH = 640;
-    @PersistenceContext
-    private EntityManager em;
-    @PersistenceUnit
-    private EntityManagerFactory emf;
 	@EJB
 	private UserBean userbean;
@@ -83,7 +72,8 @@ public class UtilBean implements UtilBeanLocal {
 		return true;
 	}
-    public void checkAllUsersImages() {
+	@Override
+	public void checkAllUsersImages() throws PermissionDeniedException {
 		for (User usr : userbean.getUsers()) {
 			convertImage(usr);
@@ -91,7 +81,8 @@ public class UtilBean implements UtilBeanLocal {
 	}
-    public boolean convertImage(User user) {
+	@Override
+	public boolean convertImage(User user) throws PermissionDeniedException {
 		UserImage oldpic = user.getCurrentImage();
 		if (oldpic == null || oldpic.getMimeType() == null || oldpic.getMimeType().isEmpty()) {
 			return false;