,as manning's book said,security-role's corresponding annotation is @java.annotation.security.DeclareRoles too.
correct me if I am wrong.
Thanks for asking this, as this is a part of the specs that I don't understand well...
For me, there are two distinct things:
- Security Role References
- Security Roles
The specs (184.108.40.206) says:
The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean code.
So for me, DeclareRoles declares Security Role References.
But in the chapter (17.3.1):
The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.
So, annotations (DeclareRoles and RolesAllowed) declares Security Roles.
I think the link is at the chapter 17.3.3:
In the absence of any explicit linking, a security role reference will be linked to a security role having the same name.
So, for me, annotations DeclareRoles and RolesAllowed declares security-role-ref and those references are implicitly mapped to Security Roles.
Those security roles can then be tested with isCallerInRole.
Can someone confirm or correct ?
The Security role references used in the components of the application(@DeclareRoles|<SECURITY-ROLE-REF> are linked to the securiy roles defined for the application (<SECURIY-ROLE> .
The linking is not required if the role defined in security-role-ref is same as security role.
But what does this mean
Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role dd element
So if were using just the annotations, how are we supposed to do the linking part.