From what I have understood, the Deployer assigns principals to roles defined in both DeclareRoles and RolesAllowed annotations, and the security-role elements in the deployment descriptor. I'm fine with the deployment descriptor. It's like EJB2. But how is the Deployer going to gather roles defined with annotations ? Using a magic wand ?
either tools inspect the packaged EJB or the EJB application/component will have to discuss these roles in documentation--in the enterprise, documentation is a good thing anyway.
By the way, this problem is not completely new: for example, how would a deployer know about roles that are only referenced in calls to EJBContext.isCallerInRole(String), even in a EJB 2.x application?
I think some (lightweight) documentation is the way to go...
how would a deployer know about roles that are only referenced in calls to EJBContext.isCallerInRole(String), even in a EJB 2.x application?
I thought that the Bean Developer was responsible for setting pseudo-roles in the deployment descriptor. But I thought it was not particularly needed in 3.0. Well, as you said, documentation will be needed, or a tool scanning the classes. Thank you.