Hi,
I'm not sure who to address this to, but presumably the person(s) who
are responsible for EAR and EJB level security for appserver.
I'm looking at the "cart-secure" example in the javaee5 tutorial.
This example is an EAR containing an EJB module and an App Client. The
sun-ejb-jar.xml file for the EJB module and sun-application.xml file for
the EAR define security-role-mapping entries for the role-name "CartUser".
The only place this role is defined is in an @RolesAllowed annotation in
the session EJB inside the EJB module. So I have a few questions --
1. Does this mean that sun-application.xml is allowed to define
security-role-mappings that refer to role names that are _only_ defined
in contained modules? Or is it a bug and there should have been
"security-role" entries in application.xml to define this role at the
EAR level? If it's not a bug, can someone point me to where in the spec
it says EAR's do this, because apparently I can't find it.
2. (a) Does this mean that @RolesAllowed replaces the "security-role"
entry from the standard descriptor ala J2EE 1.4? If so, does that mean
that a security-role entry in the standard descriptor would override this?
(b) Does the server infer any other implicit descriptor values from
this annotation?
(c) Where does @DeclareRoles fit into all this?
Thanks
-Peter