If an enterprise bean uses security roles in its own methods to determine who has authority to perform tasks (also called programmatic security), the bean has to have a security role reference defined for each role it uses. A security role reference maps the bean's internal names for security roles to roles that exist in the deployment environment.
A security role reference is required, for example, if the enterprise bean makes calls to context.isCallerInRole(rolename) to get a security role.
![]() |
You can define security roles in an EJB module and in a Java EE application. You can link these module-level and application-level security roles to security role references in the included enterprise beans. You can also map these security roles to users and groups that exist in a deployment environment, creating a complete chain from the security role reference in the enterprise bean to the deployment environment's users. |