Hi, I'm just studying that a bean can be given another security role other than the client's Principal one by using the <security-identity><run-as /></security-identity> element in the DD.
The question is: who does define this element? I think it's not the bean's developer, as she may not know the business context in which the application will run; for the same reason I would say that is not the Application Assembler either. Shall I assume is the application deployer?
There's a reference there to a study guide where you can read this:
"The Application Assembler uses the security-identity deployment descriptor element to specify whether the caller's security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used ... Because the Application Assembler does not, in general, know the security environment of the operational environment, the run-as identity is designated by a LOGICAL role-name, which corresponds to one of the security roles defined by the Application Assembler in the deployment descriptor." [ July 25, 2004: Message edited by: Lionel Orellana ]