dev@glassfish.java.net

javaee5 EAR security & sun-application.xml question

From: Peter Williams <Pete.Williams_at_Sun.COM>
Date: Tue, 11 Jul 2006 14:36:37 -0700

Hi,

I'm not sure who to address this to, but presumably the person(s) who
are responsible for EAR and EJB level security for appserver.

I'm looking at the "cart-secure" example in the javaee5 tutorial.

This example is an EAR containing an EJB module and an App Client. The
sun-ejb-jar.xml file for the EJB module and sun-application.xml file for
the EAR define security-role-mapping entries for the role-name "CartUser".

The only place this role is defined is in an @RolesAllowed annotation in
the session EJB inside the EJB module. So I have a few questions --

1. Does this mean that sun-application.xml is allowed to define
security-role-mappings that refer to role names that are _only_ defined
in contained modules? Or is it a bug and there should have been
"security-role" entries in application.xml to define this role at the
EAR level? If it's not a bug, can someone point me to where in the spec
it says EAR's do this, because apparently I can't find it.

2. (a) Does this mean that @RolesAllowed replaces the "security-role"
entry from the standard descriptor ala J2EE 1.4? If so, does that mean
that a security-role entry in the standard descriptor would override this?
    (b) Does the server infer any other implicit descriptor values from
this annotation?
    (c) Where does @DeclareRoles fit into all this?

Thanks

-Peter