I think that the answer
suggested as correct is wrong.Bean provider declares the logical security roles used in the application.
Here is my argumentation:
- 1. The Bean Provider can define security role references (security-role-ref). The security role references are for the component (not for the application). The security role references can be linked to security roles but this can be done by the Application Assembler - because this role has information about the application logic.
2. The Application Assembler is the role has the most knowledge about the business logic -> he/she is the one that defines application (logic roles).
IMHO the correct answer can be :
Bean provider declares the logical security roles references used in the component.
or
Application Assembler declares the logical security roles used in the application.
Best Regards,
Mihai