Peter Williams wrote:
> Where does the spec say or suggest that @RolesAllowed in a module can
> map to a security role definition at the EAR level.
Admittedly this isn't specified clearly in a single place.
JSR-250 should define that @RolesAllowed defines a security role, in the
same way that a deployment descriptor entry does.
The Java EE platform spec says that roles defined at the EAR level serve
two purposes:
- They are a convenient way to define roles that apply to multiple
modules of the application.
- They provide a way to override the description of a role defined
by a module.
The namespace of roles has always been application-wide, even though
they might be defined by a particular module. The Java EE platform
spec's deployment chapter talks about resolving conflicts between
role names when assemblying modules into an EE application.