@DeclareRoles vs @RolesAllowed

Hi

I am preparing for SCBCD5 exam and have some doubts about these annotations.

I have good knowledge about security in older version of EJBs. But finding it hard to understand in EJB3.

RolesAllowed annotation is used to declare logical roles instead of declaring them in the deployment descriptor?

What is the use of DeclareRoles annotation? is it also used to declare new logical role name ?e.g. <security-role><role-name>name</role-name></security-role>

or used to refer the name used programmatically in ejb?
<security-role-ref> <description>desc</description> <role-name>manager</role-name> </security-role-ref>

e.g:
@DeclareRoles("employee","manager") @Stateless public class EmployeeBean implements Employee { @Resource SessionContext ctx; public void getEmployeeInfo(EmplInfo info) { if (ctx.isCallerInRole("manager")) { } } }

in the above code i have declared two roles "employee","manager" but the code itself uses only one role.So the container will create a new role called employee which is equivalent to <security-role><role-name>employee</role-name></security-role>?

i got the above question as i was going through the specification and it says :

The set of security roles used by the application is taken to be the aggregation of the security roles defined by the security role names used in the DeclareRoles and RolesAllowed annotations. The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.

.

Thanks.
Siva