At this point, we have said just about all that can be said about the bean itself. We are now ready to describe how the beans are assembled into an application. That is, we are ready to talk about the other major element inside the <ejb-jar> element: the <assembly-descriptor>.

The <assembly-descriptor> element is optional, though it is difficult to imagine a bean being deployed successfully without one. When we say that the <assembly-descriptor> is optional, we really mean that a developer whose only role is to create enterprise beans (for example, someone who is developing beans for use by another party and who has no role in deploying the beans) can omit this part of the deployment descriptor. The descriptor is valid without it—but someone will almost certainly have to fill in the assembly information before the bean can be deployed.

The <assembly-descriptor> serves three purposes: it describes the transaction attributes of the bean’s methods; it describes the logical security roles that are used in the method permissions; and it specifies the method permissions (i.e., which roles are allowed to call each of the methods). To this end, an <assembly-descriptor> can contain three kinds of elements, each of which is fairly complex in its own right. These are: