J2EE.3.6 Deployment Requirements
The deployment descriptor describes the contract between the application component provider or assembler and the deployer. All J2EE products must implement the access control semantics described in the EJB, JSP, and servlet specifications, and provide a means of mapping the deployment descriptor security roles to the actual roles exposed by a J2EE product.
While most J2EE products will allow the deployer to customize the role mappings and change the assignment of roles to methods, all J2EE products must support the ability to deploy applications and components using exactly the mappings and assignments specified in their deployment descriptors.
As described in the EJB specification and the servlet specification, a J2EE product must provide a deployment tool or tools capable of assigning the security roles in deployment descriptors to the entities that are used to determine role membership at authorization time.
Application developers will need to specify (in the application’s deployment descriptors) the security requirements of an application in which some components may be accessed by unauthenticated users as well as authenticated users (as described above in Section J2EE.3.4.1.4, “Unauthenticated Users”). Applications express their security requirements in terms of security roles, which the deployer maps to users (principals) in the operational environment at deployment time. An application might define a role representing all authenticated and unauthenticated users and configure some enterprise bean methods to be accessible by this role.
To support such usage, this specification requires that it be possible to map an application defined security role to the universal set of application principals independent of authentication.