security role reference

If an enterprise bean uses security roles in its own methods to determine who has authority to perform tasks (also called programmatic security), the bean has to have a security role reference defined for each role it uses. A security role reference maps the bean's internal names for security roles to roles that exist in the deployment environment.

A security role reference is required, for example, if the enterprise bean makes calls to context.isCallerInRole(rolename) to get a security role.

tip You can define security roles in an EJB module and in a Java EE application. You can link these module-level and application-level security roles to security role references in the included enterprise beans. You can also map these security roles to users and groups that exist in a deployment environment, creating a complete chain from the security role reference in the enterprise bean to the deployment environment's users.