Security

What is the difference between Security-Role-Ref & Security-role tags. The @declarerole corresponds to which tags.

@Declarerole is used as class annotation. So there fore security-role-ref is used within session bean tags? So what is the corresponding annotation to security-role.

The security-role-ref is used to declare roles name you used in you code,corresponding annotation is @javax.annotatio.security.DeclareRoles,you need to use role-link to link your role name to logical role name declared by assembler by security-role
,as manning's book said,security-role's corresponding annotation is @java.annotation.security.DeclareRoles too.
correct me if I am wrong.

Hi,

Thanks for asking this, as this is a part of the specs that I don't understand well...
For me, there are two distinct things:
- Security Role References
- Security Roles

The specs (17.2.5.3) says:

The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean code.

So for me, DeclareRoles declares Security Role References.

But in the chapter (17.3.1):

The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.

So, annotations (DeclareRoles and RolesAllowed) declares Security Roles.

I think the link is at the chapter 17.3.3:

In the absence of any explicit linking, a security role reference will be linked to a security role having the same name.

So, for me, annotations DeclareRoles and RolesAllowed declares security-role-ref and those references are implicitly mapped to Security Roles.
Those security roles can then be tested with isCallerInRole.

Can someone confirm or correct ?
Thanks,

Beno�t

Just to add from 17.3.3

The Security role references used in the components of the application(@DeclareRoles|<SECURITY-ROLE-REF> are linked to the securiy roles defined for the application (<SECURIY-ROLE> .

The linking is not required if the role defined in security-role-ref is same as security role.

But what does this mean

Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role dd element

So if were using just the annotations, how are we supposed to do the linking part.

1. Is it required to include the role used in @RunAs in the @RoleDeclared Element
2. Which value to we use in @RunAs. Is it the value specified in security-role-ref or security-role. Or does this really matter.