About Question com.enthuware.ets.scbcd.v5.2.269 :

[ETS User]

Your explanation of this:

Always remember this:

1. security-role-ref: This is the name used by the bean code to refer to a security role. Since it is used inside the bean code, the provider specifies it in the deployment descriptor.

2. security-role: These are the logical roles that are available to the application. Since these are application specific, these are specified by the application assembler in the deployment descriptor. Also, since these are provided by the application assembler, the application assembler also has the responsibility of mapping security-role-ref to the security-role. Further, since the application assembler knows the business logic, she also specifies which bean methods can be called by which role using the <method-permission> tags.

3. The deployer makes sure that the roles required by the application assembler are avaible in the target system. The Deployer's job is to map the security view that was specified by the Application Assembler to the mechanisms and policies used by the security domain in the target operational environment. The output of the Deployer's work includes an application security policy descriptor that is specific to the operational environment. The format of this descriptor and the information stored in the descriptor are specific to the EJB Container.

The Deployer is also responsible for assigning the security domain and principal realm to an enterprise bean application.

But when I look at 17.3.1 Security Roles of ejb-3_0_fr-spec, it describes that:

.............
The Bean Provider or Application Assembler defines method permissions for each security role.
.................
If the deployment descriptor is used, the The Bean Provider and/or Application Assembler uses the
security-role deployment descriptor element as follows:
• Define each security role using a security-role element.
• Use the role-name element to define the name of the security role.
• Optionally, use the description element to provide a description of a security role

That makes me be confused. So which is correct?

[admin]

I am not sure where is the inconsistency. Both are taken from the specification.

[neo]

The answer is wrong and the explanation is confused.

According spec:

- Bean Provider may also declare security roles (by means of @DeclareRoles e.g.). Not just Application Assembler.

- Both Bean Provider / Application Assembler may define method permissions using metadata annotations and/or the deployment descriptor.

[neo]

Anyone has advice?