@DeclareRoles maps to the security-role-ref element of the deployment descriptor.
If you use the role 'super_user' in your bean, you annotate it with the @DeclareRoles("super_user")
Next, you use the isCallerInRole("super_user").
However, if the actual role is admin, but not super_user, you can use the role-link to link "super_user" to "admin".
This way isCallerInRole("super_user") will return true if the actual role is "admin".
Now, this is in contrast with the @RolesAllowed annotation, since, if I'm correct, mapps directly the the "security-role".
So, if I would have annotated my bean method as : @RolesAllowed("super_user") there is no way to map it to "admin", right ?
^^ I will never be able to execute 'myMethod' with role 'admin' since the RolesAllowed asks for a "super_user" role.
The only way I see to "fix" this is to create another role in the deployment descriptor "admin" and give specific method permissions:
This way the descriptor overrides the @RolesAllowed for the "myMethod", also allowing the "admin" role to access the method.
Does this make any sense ?