Role Name under the <security-role-ref> tag is defined by the Bean Provider whereas the <role-link> is usually defined by the application assembler so, while making ejb-jar.xml file, its not mandatory to fill up the <role-link> tag. Sometime time afterwards, this <role-link> can be added to the DD by Application Assembler.
Hope this answers your question.
Joined: Nov 22, 2001
Lalit Thanks for reply.
It seems Question was tricky ,as it's not mentioned in Question from whose point of view it's optional like from bean provider or appplication assembler.
From what I understand, <role-link> is not really required very often. It's only REALLY needed if there is a naming clash between what one bean producer created and another created. This is because instead of <role-link>, the AA can just re-use whatever the bean producer created in <security-role-ref>, and it will work.