Yeah that might seem confusing, but I'll try to explain it in other words.
- As you know the Bean Provider is "only" good at writing EJBs and the related deployment descriptors (he uses the javax.ejb classes).
- The Application Assembler is supposed to be bundling those EJBs together (+ complete the deployment descriptors) into a full-blown enterprise application.
- The Deployer is the one who deploys the
EJB applications.
- The System Administrator is the one who knows how the application server works (JOnAS, Weblogic, whatever) and master the platform environment on which the application server is running (Linux, Windows, whatever).
In clear, this means that the Bean Provider only uses symbolic role names within the application to provide programmatic security. The Application Assembler will then define who may call which method by defining security policies in the deployment descriptor (<security-role>, <method-permission> and related elements). The System Administrator defines the user groups and realms on the operating system and defines the security policies (roles, etc) in the application server by using the administration console
Now, it is clear that in some circumstances all these roles may be played by the same person and the boundary between the roles may be blurred. But keep in mind the following:
- The Bean Provider provides the EJBs
- The Application Assembler assembles them together into a whole coherent thing (he needs to specify security and transactional stuff)
- The Deployer deploys the application on the application server using the tools provided by the server provider.
- The System Administrator administrates the environment on which the application server runs the J2EE applications. He needs to configure security, transactional, resource, etc stuff in the server.
Hope this helps
