Why does J2EE/JAAS require that I need to add role information to my desployment descriptor i.e the EJB method "addAccount" requires role "AccountsClerk"
When I have done this before (not J2EE or JAAS) I have always had a user/role and role/function relationship held in the database.
When a function is requested the application just asks an "authority" if the user has access to this function. It was not important that the function was obtained by vriture of a particular role. The Role was just a convenient way of packaging functions. It was not evaulated when a method was invoked.
If I need to specify this at deploy time then how do I then add additonal functions to a particular role? Is it a another deployment. e.g the "deleteAccount" function can now be performed by an "AccountsClerk" and "AccountManager". However I am assuming at deploy time I would have specified that the "deleteAccount" method requires role "AccountManager".
In the business world just because the "AccountsClerk" can now delete an account does not make then an "AccountManager" so it does not make sence to upgrade the "AccountsClerk" to "AccountManager".
I am convinced I have misunderstood some central concept in JAAS e.g the concept of a role .. is it really a function?
Any help would be much appreciated.
This has nothing to do with JAAS, its the J2EE declarative security model. Its a deployment time binding. If that does not work for you then you need to introduce custom security via an ejb interceptor.