Help!!! Spec page 433 doubt with the HFE Page 593, Question 3

Hi Guys,
Found out some doubts on the spec, page 433.

� Lessen the burden of the application developer (i.e. the Bean Provider) for securing the application by allowing greater coverage from more qualified EJB roles. The EJB Container provider provides the implementation of the security infrastructure; the Deployer and System Administrator define the security policies.

� Allow the security policies to be set by the Application Assembler or Deployer rather than being hard-coded by the Bean Provider at development time.

The first item says "the Deployer and System Administrator define the security policies.", while the second item says "Allow the security policies to be set by the Application Assembler or Deployer rather than being..." So, the security policies should be set by Deployer and System Admin or by Deployer and Application Assembler or by three of them?
The spec seems not to clear this point. And also the doubt for this mock question HFEJB Page 593, Question 3:
Which role(s) should typically define the appropriate security policies for an application?
A. bean provider
B. application assembler
C. deployer
D. system administrator
E. server provider

The given answer is (B,C), but based on the spec, the option D is also right answer.
So, thanks a lot in advance to clear this confusion for me!

Hai
[ July 07, 2004: Message edited by: Hai Lin ]

Yeah that might seem confusing, but I'll try to explain it in other words.
- As you know the Bean Provider is "only" good at writing EJBs and the related deployment descriptors (he uses the javax.ejb classes).
- The Application Assembler is supposed to be bundling those EJBs together (+ complete the deployment descriptors) into a full-blown enterprise application.
- The Deployer is the one who deploys the EJB applications.
- The System Administrator is the one who knows how the application server works (JOnAS, Weblogic, whatever) and master the platform environment on which the application server is running (Linux, Windows, whatever).

In clear, this means that the Bean Provider only uses symbolic role names within the application to provide programmatic security. The Application Assembler will then define who may call which method by defining security policies in the deployment descriptor (<security-role>, <method-permission> and related elements). The System Administrator defines the user groups and realms on the operating system and defines the security policies (roles, etc) in the application server by using the administration console

Now, it is clear that in some circumstances all these roles may be played by the same person and the boundary between the roles may be blurred. But keep in mind the following:
- The Bean Provider provides the EJBs
- The Application Assembler assembles them together into a whole coherent thing (he needs to specify security and transactional stuff)
- The Deployer deploys the application on the application server using the tools provided by the server provider.
- The System Administrator administrates the environment on which the application server runs the J2EE applications. He needs to configure security, transactional, resource, etc stuff in the server.

Hope this helps

Valentin,
Thank you very much. Distinguishing those roles are confusing, your elaborated answer give me a clearer view.

Hai