Security question: @RolesAllowed

Is it correct to say that:

@DeclareRoles maps to the security-role-ref element of the deployment descriptor.
If you use the role 'super_user' in your bean, you annotate it with the @DeclareRoles("super_user")
Next, you use the isCallerInRole("super_user").
However, if the actual role is admin, but not super_user, you can use the role-link to link "super_user" to "admin".
This way isCallerInRole("super_user") will return true if the actual role is "admin".

Now, this is in contrast with the @RolesAllowed annotation, since, if I'm correct, mapps directly the the "security-role".
So, if I would have annotated my bean method as : @RolesAllowed("super_user") there is no way to map it to "admin", right ?

@Stateless public class MyBean { @RolesAllowed("super_user") public void myMethod() { } }

^^ I will never be able to execute 'myMethod' with role 'admin' since the RolesAllowed asks for a "super_user" role.

The only way I see to "fix" this is to create another role in the deployment descriptor "admin" and give specific method permissions:

<security-role> <role-name>admin</role-name> </security-role> <method-permission> <role-name>admin</role-name> <method> <ejb-name>MyBean</ejb-name> <method-name>myMethod</method-name> </method> </method-permission>

This way the descriptor overrides the @RolesAllowed for the "myMethod", also allowing the "admin" role to access the method.
Does this make any sense ?

it seems you are correct.