question: a <role-link> in <security-role-ref> is useful only for a programmatic security check (EJBContext.isCallerInRole() method)?
answer: yes, it is correct.
If <role-link> is missing in ejb-jar.xml, the user "ivan" can still access to the method that allows superusers.
But isCallerInRole("superuser") returns false as the role defined for the bean is not linked by the assembler to the operation environment.
One more note about the parameter for isCallInRole(String rolename). This rolename has to be the role defined by the bean provider, but not the role linked by the assembler or provided by the deployer.
For Ivan's example, the deployer create a role called "super-user". The bean provider created a role called "superuser". The assembler links the roles by using "superuser2".
isCallerInRole("superuser") should be used for security check.
Let me answer my own question again, in a better way after reading some explanations in Enthuware.
1. The <role-link> is missing in the <session> element. The application assembler defines a role "superUser" in <security-role> in <assembly-descriptor>. The bean provider defines another role "superUser". But these two roles are not linked, so they are not related.
2. The <security-role> in <assembly-descriptor> defined "superUser" can access the method.
The security role and method permission in the dd overrides the annotations in the bean code.
The "superUser" is mapped to a principal, "ivan" by the deployer.
3. Th target environment, which is GlassFish 3.1.2 , allows "ivan" to access that method as specified by the application assembler and the deployer in their deployment descriptors, but not the bean provider in this case as the bean provider's role is not linked by the application assembler.
4. However, the session bean does not link any role to "superUser" defined by the application assembler. The bean does not know which role "ivan" is in.
5. Therefore, isCallerInRole("superUser") return false as the bean does not link the bean provider's "superUser" to application assembler's "superUser".
grapes are vegan food pellets. Eat this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop