Session 17.3.1.
The set of security roles used by the application is taken to be the aggregation of the security roles defined by the security role names used in the DeclareRoles and RolesAllowed annotations. The Bean provider may augment the set of security roles defined for the application by annotations in the way by means of the security-role deployment descriptor elements.
So, based on this quote, the deployer is expected to map the principals or groups to all of these three roles.
However, if method permission is defined for CUSTOMER in the deployment descriptor, the deployer only needs to map the principals or groups to CUSTOMER. It is because the deployment descriptor overrides the roles specified by the annotations in the bean class.
Compare this question with anther question ejbd.v6.2.616:
Code: Select all
@Stateless public class EnthuBean implements Enthu {
@RolesAllowed("user")
public void doStuff(){ }
public void doMoreStuff(){ } }
Further, the following snippet exists in the deployment descriptor ...
<method-permission>
<role-name>customer</role-name>
<method>
<ejb-name>EnthuBean</ejb-name>
<method-name>doStuff</method-name>
</method>
</method-permission>
In this case, the deployment descriptor overrides the roles allowed for doStuff method. So, the deployer only needs to map principals/groups to customer roles.
It is optional for the deployer to map principals/groups to user roles.
Correct me if I am wrong.