Question
Is it necessary to list your security roles in both places?
Does it mean or achieve something different in each location?
Solution
Security roles should be defined in the application's deployment descriptor (web.xml), the mapping to application server's principals in the runtime deployment descriptor (e.g. glassfish-web.xml)
Check out the section Working with Security Roles of the Java EE 6 tutorial or the Netbeans tutorial about it.
OTHER TIPS
It is not necessary to list the roles in both places.
The security roles defined in application.xml apply to all modules in the enterprise application. For each module, these roles will be combined with the security roles defined in the module's deployment descriptor (web.xml for web application modules). So basically if you have a multi-module enterprise application that shares roles, you can declare them all in one place. But note that you don't have to declare any role names in the deployment descriptors if you reference all roles via @DeclareRoles and @RolesAllowed annotations, but you still can to give them full descriptions.
From Section EE 8.4.1 of the Java EE Platform Specification (v7): "Descriptions of role names that are used by many components of the application can be included in the application-level deployment descriptor."
And from Section 8.5.2: "When presenting security role descriptions to the Deployer...." goes on to say that what's in application.xml overrides individual modules, if they both specify the same role name.
https://stackoverflow.com/questions/23637390
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian