Alexey Saenko gave me this answer to the same question:
The @DeclareRoles annotation specifies all roles which are used in the given class (or method). Also it is possible to specify the roles list in DD. In case there is no specified roles neither in DD nor with @DeclareRoles annotations, the container builds the list automatically by inspecting the @RolesAllowed annotation.
The actual role that a bean is using is determined by the Principal of the client that called it.A Principal is created once authentication and authorisation has occurred in either the Web or
EJB container.
It goes something like this:
-A user goes to 'http://www.ActionBazaar.com/mainLogin.jsp'
-They are asked for a username and password
-Authentication against an LDAP system(basically a list of users,passwords etc)
-The succesfully logged in user will be mapped to certain groups ie.Marketing,Technical,Sales
-The groups will be mapped to specific roles ie. Bidder,Seller,Administrator
-The mapping of groups to roles can be in the web.xml(if the authentication is in the web container) and if the authentication occurs in the EJB container then I think the mapping is in a container-specific file.
-When the user tries to access a web-resource ie.
http://www.ActionBazaar.com/DeleteBidder, the web container checks the web-xml to see if access to that URL is allowed FOR that role.
-The container checks the Principal object which contains information about the logged in user's role
-It sees that this user has a role of administrator...it then uses a container specific file to figure out what group that role is mapped to:
it is mapped to 'System Administrator'.
-In the web.xml :the URL
http://www.ActionBazaar.com/DeleteBidder.jsp is only allowed to be accessed by the role:System Administrator.
-Since that is the role we are using we can visit the page.
-On the page there is a 'Delete Bidder' button.
-When we click it it calls the DeleteBidBean,
-The DeleteBidBean has the following annotations at the class level;
@DeclareRoles("System Administrator")
@RolesAllowed("System Administrator")
The declare roles annotation specifies all the roles the bean might use across all it's methods.
The @RolesAllowed specifies that only "System Administrator" roles can using any methods in this class(because it's annotation is declared at class level),annotations can also be at the method level though.
-The bean is called from the DeleteBiddder.jsp,but since the web-container already authenticated the user the 'Principal' is still available to the EJB container(the web container passes the principal to the ejb container).
-The ejb container checks the Principal to see if the role of the Principal matches one of the roles in the @RolesAllowed.
Note:This is the same as us checking programatically by calling EJBContext.isUserInRole("System Administrator")
The user's Prinicpal has a role of "System Administrator" so the container invokes the bean's method!!