The security-role-ref is used to declare roles name you used in you code,corresponding annotation is @javax.annotatio.security.DeclareRoles,you need to use role-link to link your role name to logical role name declared by assembler by security-role ,as manning's book said,security-role's corresponding annotation is @java.annotation.security.DeclareRoles too. correct me if I am wrong.
Thanks for asking this, as this is a part of the specs that I don't understand well... For me, there are two distinct things: - Security Role References - Security Roles
The specs (184.108.40.206) says:
The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean code.
So for me, DeclareRoles declares Security Role References.
But in the chapter (17.3.1):
The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.
So, annotations (DeclareRoles and RolesAllowed) declares Security Roles.
I think the link is at the chapter 17.3.3:
In the absence of any explicit linking, a security role reference will be linked to a security role having the same name.
So, for me, annotations DeclareRoles and RolesAllowed declares security-role-ref and those references are implicitly mapped to Security Roles. Those security roles can then be tested with isCallerInRole.
1. Is it required to include the role used in @RunAs in the @RoleDeclared Element 2. Which value to we use in @RunAs. Is it the value specified in security-role-ref or security-role. Or does this really matter.