Just a note to the explanation:
As far as I remember, the overall view on security roles is a set derived from security roles defined in DD and in @DeclareRoles. Therefore I think in order to invoke the isCallerInRole(String) method, it's enough that the role is defined through the @DeclareRoles annotation.Parameters:
roleName - The name of the security role. The role must be one of the security roles that is defined in the deployment descriptor.
Cheers!