When a client calls a method, the Container always knows the client’s Principal, which includes the abstract security roles the Deployer assigned to that Principal. And remember, the caller’s security context is propagated throughout the application as the client’s original method goes about doing its work. Each method called in the conceptual call stack will get the security context along with the call.

But... let’s say that you don’t want the client’s security context to keep propagating. Let’s say that when the client calls Bean A, and Bean A in turn calls Bean B, you want Bean B to think that someone else is calling. In other words, what if you want Bean A to pretend to be someone else? That way, any bean that Bean A calls will think the Principal (and roles) of the caller is something other than the original client’s.

Why would you do this? Bean B might have tighter access control. Perhaps Bean B won’t allow outside clients to call its methods, so it doesn’t have method permissions set up for any of the abstract roles mapped to clients users and groups. But perhaps you have a special role set-up just for other beans, and Bean B will take calls from other beans, as long as those beans are in that role.

When you want the bean to BE someone other than the calling client

Explicitly saying that you want the calling client’s ...