Versions Compared

Old Version 2

changes.mady.by.user David Blevins

Saved on

compared with

New Version 3

changes.mady.by.user David Blevins

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • By default all methods of a business interface are accessible, logged in or not
  • The annotations go on the bean class, not the business interface
  • Security annotations can be applied to entire class and/or individual methods
  • The names of any security roles used must be declared via @DeclaredRoles

No restrictions

Allow anyone logged in or not to invoke 'svnCommit'.

These three examples are all equivalent.

Code Block

@Stateless
public class OpenSourceProjectBean implements Project {

    public String svnCheckout(String s) {
        return s;
    }
}
Code Block

@Stateless
@PermitAll
public class OpenSourceProjectBean implements Project {

    public String svnCheckout(String s) {
        return s;
    }
}
Code Block

@Stateless
public class OpenSourceProjectBean implements Project {

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }
}
  • Allow anyone logged in or not to invoke 'svnCheckout'.

Restricting a Method

Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.

Code Block
@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

}

 - Allow only logged in users in the "committer" role to invoke 'svnCommit'.
 - Allow anyone logged in or not to invoke 'svnCheckout'.

DeclaredRoles

You need to update the @DeclaredRoles when referencing more roles in your annotations.

...

Restricting all methods in a class

Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout' and 'submitPatch'.Placing the annotation at the class level changes the default of PermitAll

Code Block
@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    public String submitPatch(String s) {
        return s;
    }
}

Mixing class and method level restrictions

  • Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout'

...

  • or 'submitPatch'.

Mixing class and method level restrictions

Security annotations can be used at the class level and method level at the same time. These rules do not stack, so marking this method 'submitPatch' overrides the default of "committers".

Code Block
@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

PermitAll

  • Allow only logged in users in the "committer" role to invoke 'svnCommit'

...

  • or 'svnCheckout'
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.

PermitAll

When annotating a bean class with @RolesAllowed, the @PermitAll annotation becomes very useful on individual methods to open them back up againAllow anyone logged in or not to invoke 'svnCheckout'.

Code Block
@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Example

...

titleBusiness Interface

...

  • Allow only logged in users in the "committer" role to invoke 'svnCommit'.
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
  • Allow anyone logged in or not to invoke 'svnCheckout'.

DenyAll

The @DenyAll annotation can be used to restrict business interface access from anyone, logged in or not. The method is still invokable from within the bean class itself.

Code Block
@Stateless
@DeclareRoles({"committer", "contributor","community"})
public class FooBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
public class OpenSourceProjectBean implements public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})Project {

    public String submitPatchsvnCommit(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}
Code Block

@Stateless
@RunAs("contributor")
@DeclareRoles({"committer", "contributor","community"})
public class BarBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    @PermitAll
    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}
}
  • Allow only logged in users in the "committer" role to invoke 'svnCommit'.
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
  • Allow anyone logged in or not to invoke 'svnCheckout'.
  • Allow no one logged in or not to invoke 'deleteProject'.