when you say that (excerpt from EJB spec)
This means that absence of <role-link> element inside the <security-role-ref> element (not the element security-role-ref itself ) . So we must have <security-role-ref> <role-name> element in the DD or @DeclareRoles annotation in the bean code if we want to use isCallerInRole in the bean.In the absence of this linking step, any security role name as used in the code will be assumed to correspond to a security role of the same name
like this
Code: Select all
<enterprise-beans>
<session>
<ejb-name>
SecurityBean
</ejb-name>
<security-role-ref>
<role-name>test</role-name>
</security-role-ref>
</session>
</enterprise-beans>
See this link
http://www.coderanch.com/t/547984/java- ... ty-role-wo
From the above thread , it seems that even glassfish verifies this behavior.