Versions Compared

Old Version 1

changes.mady.by.user David Blevins

Saved on

compared with

New Version Current

changes.mady.by.user Karan Singh Malhi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

This page shows the correct usage of the security related annotations:

  • javax.annotation.security.RolesAllowed
  • javax.annotation.security.PermitAll
  • javax.annotation.security.DenyAll
  • javax.annotation.security.RunAs
  • javax.annotation.security.DeclareRoles

Basic idea

  • By default all methods of a business interface are accessible, logged in or not
  • The annotations go on the bean class, not the business interface
  • Security annotations can be applied to entire class and/or individual methods
  • The names of any security roles used must be declared via

...

  • @DeclareRoles

No restrictions

Allow anyone logged in or not to invoke 'svnCheckout'.

These three examples are all equivalent

Restricting a Method

Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.

Code Block
@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCheckout(String s) {
        return s;
    }
}
Code Block

@Stateless
@PermitAll
public class OpenSourceProjectBean implements Project {

    public String svnCheckout(String s) {
        return s;
    }
}
Code Block

@Stateless
public class OpenSourceProjectBean implements Project {

    @PermitAll@RolesAllowed({"committer"})
    public String svnCommitsvnCheckout(String s) {
        return s;
    }
}

DeclaredRoles

  • Allow anyone logged in or not to invoke 'svnCheckout'.
Restricting a Method
Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listedYou need to update the @DeclaredRoles when referencing more roles in your annotations.
 Code Block
@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatchsvnCheckout(String s) {
        return s;
    }
}

...
  • Allow only logged in users in the "committer" role to invoke 'svnCommit'.
  • Allow anyone logged in or not to invoke 'svnCheckout'.
DeclareRoles
You need to update the @DeclareRoles when referencing roles via isCallerInRole(roleName).
 Code Block
@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @Resource SessionContext ctx;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        ctx.isCallerInRole("committer"); // Referencing a Role
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Example
Restricting all methods in a class
Placing the annotation at the class level changes the default of PermitAll
 Code Block

@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements
 Code Block
titleBusiness Interface

public static interface Project {

    public String svnCommit(String s); {
    public   String submitPatch(Stringreturn s);
    }

    public String svnCheckout(String s) {
        return s;
    }

    public String deleteProjectsubmitPatch(String s); {
    public   boolean isCallerInRole(Stringreturn s);
    }
}

  • Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout' or 'submitPatch'.
Mixing class and method level restrictions
Security annotations can be used at the class level and method level at the same time. These rules do not stack, so marking 'submitPatch' overrides the default of "committers".
 Code Block
@Stateless
@DeclareRoles({"committer", "contributor","community})
@RolesAllowed({"committer"})
public class FooBeanOpenSourceProjectBean implements Project {

     @Resourcepublic String svnCommit(String s) {
    private    SessionContextreturn contexts;

    @RolesAllowed({"committer"})}

    public String svnCommitsvnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

  • Allow only logged in users in the "committer" role to invoke 'svnCommit' or 'svnCheckout'
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
PermitAll
When annotating a bean class with @RolesAllowed, the @PermitAll annotation becomes very useful on individual methods to open them back up again.
 Code Block

@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements @PermitAllProject {

    public String svnCheckoutsvnCommit(String s) {
        return s;
    }

    @DenyAll@PermitAll
    public String deleteProjectsvnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public booleanString isCallerInRolesubmitPatch(String roles) {
        return context.isCallerInRole(role)s;
    }
}

  • Allow only logged in users in the "committer" role to invoke 'svnCommit'.
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
  • Allow anyone logged in or not to invoke 'svnCheckout'.
DenyAll
The @DenyAll annotation can be used to restrict business interface access from anyone, logged in or not. The method is still invokable from within the bean class itself.
 Code Block
@Stateless
@RunAs("contributor")
@DeclareRoles({"committer", "contributor","community})
@RolesAllowed({"committer"})
public class BarBeanOpenSourceProjectBean implements Project {

    public  @ResourceString svnCommit(String s) {
    private    SessionContextreturn contexts;
    }

    @RolesAllowed({"committer"})@PermitAll
    public String svnCommitsvnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll@DenyAll
    public String svnCheckoutdeleteProject(String s) {
        return s;
    }
}

  • Allow only logged in users in the "committer" role to invoke 'svnCommit'.
  • Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
  • Allow anyone logged in or not to invoke 'svnCheckout'.
  • Allow no one logged in or not to invoke 'deleteProject'.
Illegal Usage
Generally, security restrictions cannot be made on AroundInvoke methods and most callbacks.
The following usages of @RolesAllowed have no effect.
 Code Block

@Stateful
@DecalredRoles({"committer"})
public class MyStatefulBean  @DenyAllimplements  MyBusinessInterface  {

    @PostConstruct
    @RolesAllowed({"committer"})
    public void constructed(){

    }

    @PreDestroy
    @RolesAllowed({"committer"})
    public void destroy(){

    }

    @AroundInvoke
    @RolesAllowed({"committer"})
    public StringObject deleteProjectinvoke(StringInvocationContext sinvocationContext) throws Exception {
        return sinvocationContext.proceed();
    }

    @PostActivate
    @PermitAll@RolesAllowed({"committer"})
    public booleanvoid isCallerInRoleactivated(String role){

    }

    @PrePassivate
    return context.isCallerInRole(role);@RolesAllowed({"committer"})
    public void passivate(){

    }
}